This detection rule identifies unauthorized access requests to sensitive files located in the Windows Sysvol share, notably when access is initiated by uncommon applications. It tracks file access events where the file name indicates that it belongs to the Sysvol directory and matches specific critical filenames such as 'audit.csv', 'Registry.pol', and others related to Group Policy Objects (GPO). To minimize false positives, the detection logic excludes known legitimate file access by mainstream applications like Windows Explorer and filter paths commonly used by trusted sources. By monitoring such file access patterns, this rule helps mitigate credential theft risks associated with potentially malicious software attempting to interact with sensitive system files.