This detection rule identifies the use of the Windows utility `wbadmin.exe` for the purpose of recovering sensitive files from backup sources. Specifically, the rule looks for attempts to access critical files commonly targeted in attacks, such as 'NTDS.DIT' which contains Active Directory data and the 'SECURITY' hive, which holds user credential information. The rule operates by monitoring process creation events for instances of `wbadmin.exe` where parameters signify sensitive file recovery, indicated by command-line arguments that include 'recovery', 'recoveryTarget', or suggest file item types. Additionally, the detection checks for naming conventions in line with sensitive files typically targeted in credential access scenarios. Such actions are indicative of attackers leveraging native Windows tools to exfiltrate sensitive data by utilizing backup mechanisms. The rule is marked as high-level risk, suggesting the importance of monitoring these activities closely to prevent potential credential harvesting attacks.