This detection rule focuses on tracking alterations to Access Control Lists (ACLs) for Active Directory (AD) user objects. It specifically monitors for the addition of various high-level permissions that indicate potential privilege escalation or unwanted modifications. Detecting these changes is crucial as they can reveal malicious activities, such as an attacker gaining excessive access rights within an AD environment. The detection is triggered by Windows Event ID 5136, which captures changes to the AD schema, and algorithms within the rule parse and analyze log entries to identify addition of problematic rights including 'Full control', 'All extended rights', and others. Upon triggering, it advises immediate investigation to comprehend the validity of such modifications.