This detection rule focuses on identifying potential credential dumping activities on Windows systems using the Impacket SecretDump tool, which is commonly abused by attackers to gain elevated access to Active Directory credentials. The rule is built for execution within the Zeek (formerly known as Bro) network monitoring framework, specifically monitoring SMB file services. The detection criteria target specific file characteristics, including paths commonly associated with administrative file shares (like `ADMIN$`) and system folders (like `SYSTEM32`), especially files ending with `.tmp`, which are often used temporarily during credential dumping processes. The detection is based on SIGMA rules tailored for detection in network environments where SMB file transfers are being monitored. This rule serves as a proactive measure to catch unauthorized attempts to exfiltrate sensitive credential information from a network. The rule has a high alert level due to its association with credential access tactics outlined in the MITRE ATT&CK framework.