This detection rule targets suspicious activities involving PowerShell scripts that access the Security Account Manager (SAM) hives on Windows systems. SAM hives are critical for storing user account information and passwords, making them a high-value target for attackers seeking to extract credentials. The rule identifies process creations that contain specific command-line patterns indicating attempts to copy or access these sensitive files. It utilizes two main selection criteria: one that looks for command-line arguments that reference accessing SAM hives (using paths like '\HarddiskVolumeShadowCopy' and 'System32\config\sam'), and another that looks for common PowerShell copy commands. The detection condition requires that all specified selections must be satisfied to trigger an alert. The rule is crafted to mitigate the risk posed by credential access attacks, especially those aligned with techniques outlined in the MITRE ATT&CK framework, specifically technique T1003.002. Due to its focus, the rule is set at a high alert level, acting proactively against potential compromises that could leverage PowerShell for unauthorized access to critical user data.