This detection rule targets potential attacks involving the export or theft of DPAPI (Data Protection API) backup keys and certificates, which are critical components for encrypted data access on Windows systems. The rule identifies potential malicious activity by monitoring file events for specific naming patterns and extensions associated with exported or stolen DPAPI artifacts. File names that contain terms like 'ntds_capi_', 'ntds_legacy_', or 'ntds_unknown_' and have extensions such as '.cer', '.key', '.pfx', and '.pvk' are flagged for further investigation. These patterns are commonly used by tools like Mimikatz and DSInternals to exploit DPAPI vulnerabilities, indicating potential unauthorized access or data exfiltration attempts. Given the high sensitivity of the keys and certificates being monitored, this rule is classified as high severity and is intended for use on Windows systems where these safeguards are paramount. The detection is currently in an experimental phase, meaning further validation and tuning may refine its efficacy against false positives, which are deemed unlikely.