This detection rule identifies suspicious activity involving multiple file access requests made over the SMB (Server Message Block) protocol in a Windows environment. SMB is commonly utilized for file sharing, and adversaries frequently exploit it to maneuver laterally within a network. The rule utilizes a specific set of Windows Event Logs (Event ID 5145), filtering for attempts to access files of certain types (excluding configuration files like .ini or .inf) within a narrowly-defined time span. If multiple file requests are detected (more than one unique file access) from a single user in less than 20 seconds, an alert is generated. This behavior may indicate lateral movement or data exfiltration attempts by threat actors associated with known groups such as APT29 (Cozy Bear) or Trik, and can be particularly vital when monitoring networks for ransomware attacks, such as those executed by groups like Conti and Lockbit.