This detection rule targets Windows systems to identify potentially malicious attempts to gather sensitive identity information through unauthorized loading of `samlib.dll` and `samcli.dll` modules. These Dynamic Link Libraries (DLLs) are typically exploited by attackers to gain access to Security Account Manager (SAM) objects, which can lead to credential theft and privilege escalation on domain controllers. The detection is based on Sysmon EventCode 7, monitoring for instances where these DLLs are loaded outside of approved system directories such as `C:\Windows\` or `C:\Program Files\`. This deviation from standard practices warrants attention as it may indicate an ongoing compromise aiming to extract sensitive data from the system.