This detection rule is designed to identify when an Active Directory Schema Cache file (with a .sch extension) is created by using uncommon tools. Such files are typically generated during ADSI (Active Directory Service Interfaces) operations, which can be utilized for both legitimate management tasks and malicious activities, especially during attacks that leverage the LDAP (Lightweight Directory Access Protocol) for command-and-control communication. This rule utilizes file event logs from Windows, focusing on target filenames that contain a specific path known for these cache files. Moreover, it applies several filters to exclude known legitimate applications—primarily enterprise management tools like Cylance and Citrix, and various Microsoft Office elements—thereby reducing false positives. The detection condition highlights that the creation of these files must be associated with uncommon tools or processes rather than standard MS or management applications, indicating potential malicious intent. The rule references various resources for further reading regarding the potential misuse of LDAP and credential theft techniques that may correspond to activities captured by this rule.