This rule detects the transfer of files containing sensitive credential data through network shares, focusing on well-known filenames associated with credential storage such as LSASS dumps and other security-related files. The detection leverages Windows Event ID 5145, which tracks file share access events. The rule is activated when the RelativeTargetName field of these events contains specific paths that are commonly associated with credential data, including paths to sensitive files like \mimidrv, \lsass, and \ntds.dit. The rule aims to identify potential credential dumping or exploitation activities within a Windows environment. Users performing legitimate administrative tasks that involve transferring sensitive files may generate false positives, thus it's essential to consider the context of the detected transfers before drawing conclusions.