This rule identifies unauthorized access to sensitive Active Directory object attributes that may contain credentials and decryption keys. Specifically, it focuses on attributes such as unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens. The rule is designed to trigger when specific event code 4662 occurs, while ensuring the access attempts are not from the Local System account (S-1-5-18). To reduce noise and false positives, the rule filters out irrelevant access masks (like Control Access) and includes only significant attribute identifiers. The detection mechanism relies on the configuration of the 'Audit Directory Service Access' logging policy for both Success and Failure events. The rule is valuable for detecting potential credential theft and privilege escalation attempts, highlighting security risks associated with LDAP access.