This detection rule aims to identify potential misuse of the 'ntdsutil' tool which is used to interact with the Active Directory database (NTDS.dit). The rule focuses on instances where the NTDS.dit file is dumped to unusual directories, potentially indicating a compromise aimed at exfiltrating sensitive directory data. The detection mechanism relies on monitoring event logs from the ESENT provider, specifically targeting EventID 325, which logs operations involving the NTDS.dit file. It captures events where the log entry references 'ntds.dit' and checks if the output location of the dump matches known suspicious paths, such as common user data directories (e.g., AppData, Desktop, Downloads). The rule is constructed to trigger an alert if both conditions are met, indicating a potentially malicious action that warrants further investigation. False positives may arise from legitimate backup activities or the creation of shadow copies.