This rule, authored by Elastic, is designed to identify potential remote access attempts involving the Windows registry, specifically aimed at dumping credential data from the Security Account Manager (SAM) registry hive. The rule utilizes EQL (Event Query Language) to monitor for file creation events that align with suspicious behavior indicative of unauthorized access to sensitive credential information. Dumping the SAM hive is a common technique in credential theft, as it may reveal locally cached credentials. Attackers often leverage tools such as 'secretsdump.py' or 'CrackMapExec' for thispurpose. The investigation process is comprehensive, calling for a review of the involved assets, user actions, and associated privileges. It also stresses the enhancement of monitoring measures to minimize false positives, ensuring that security teams are alerted to genuine threats. Recommendations post-investigation include incident response procedures, isolation of compromised hosts, and verification of credential safety. The rule serves critical needs in threat detection, particularly in the landscape of credential access vulnerabilities and lateral movement tactics.