This detection rule identifies suspicious read access to a high number of Active Directory (AD) object attributes, a tactic often used by adversaries to find vulnerabilities, elevate privileges, or collect sensitive information. The rule targets specific Windows event logs, particularly event code 4662, which indicates access to AD properties. A filter is applied to exclude access from system accounts (e.g., S-1-5-18), focusing on instances where the 'Read Property' access mask was employed and at least 2000 properties were accessed. The logging policy for "Audit Directory Service Changes" must be enabled to properly capture relevant events. Investigations include reviewing event logs, analyzing user behavior, and correlating with other security alerts. False positives may arise from routine system maintenance or legitimate automated queries; thus, various exclusion strategies are advised. In case of suspicious activity, immediate isolation of affected systems, credential resets, and tighter access controls are recommended to prevent further unauthorized access.