This detection rule identifies instances of files created by various tools that exploit the HiveNightmare vulnerability (CVE-2021-36934) on Windows systems. HiveNightmare is a security vulnerability that allows attackers to access sensitive information, including account passwords stored in the Security Account Manager (SAM) file. The rule looks for specific target filenames associated with SAM file exports, including patterns like \hive_sam_, \SAM-2021-, \SAM-2022-, \SAM-2023-, \SAM-haxx, and \Sam.save, as well as the file located at C:\windows\temp\sam. If any of these filenames are detected during file events, the rule triggers an alert. It is important to note that this rule may generate false positives for legitimate files that accidentally match these patterns.