This detection rule targets specific events emitted by the Windows kernel to indicate potential unauthorized access or manipulation of sensitive registry hives. The focus is on the Kernel-General ETW (Event Tracing for Windows) logs where an application attempts to access a registry hive configured to reside in a temporary directory, specifically the SAM (Security Account Manager) and SECURITY hives. The detection is triggered when the access bits of these hives are modified and are reset, which may suggest that a registry hive dumping utility, like QuarksPwDump, is being used to access potentially sensitive credential information. The default timeframe for recognizing the hive's last access is set to 7 days, meaning if the hive has not been acknowledged within this period, the rule triggers an alert. This mechanism protects against credential access attacks, which are common tactics employed by malicious actors seeking to extract user credentials or system information for further exploitation.