This detection rule, authored by Elastic, focuses on identifying the creation or modification of medium-size registry hive files on a Server Message Block (SMB) share, a potential indicator of an exfiltration attempt targeting the Security Account Manager (SAM) registry hive for credential extraction purposes. The rule employs EQL (Event Query Language) to monitor events logged in Windows environments. When a file is created that meets particular criteria (i.e., it has a specific header indicating it’s a registry file, is larger than 30,000 bytes, and originates from processes with specific user identifiers), the rule fires an alert. Potential legitimate activities, such as administrative exports of registry hives, should be considered to avoid false positives. Investigation steps include correlating other alerts, identifying the user account involved, and confirming the legitimacy of the actions taken. If malicious activity is suspected, incident response procedures should be initiated, including isolating the affected systems and conducting a comprehensive malware scan.