This detection rule monitors for the creation of files that mimic the exports of the Windows Security Account Manager (SAM). The SAM is a database file that stores user passwords and account information. Attackers may attempt to extract this sensitive data by creating files that resemble SAM exports in various locations, especially in areas like Temp, ProgramData, and User-specific directories. The detection focuses on filenames that either specifically end with or contain keywords associated with SAM exports, such as 'sam.sav', 'sam.export', and others. Given the critical sensitivity of the data involved, this is classified as a high severity alert. The rule's effectiveness can be diminished by rare legitimate administrative activities that also manipulate similar filenames. Referenced vulnerabilities and exploitation techniques highlight the relevance of this detection in identifying potential attacks against Windows environments.