This detection rule identifies the suspicious usage of the Active Directory diagnostic tool ntdsutil.exe via process creation logs. The rule aims to flag instances where ntdsutil.exe is executed to perform potentially malicious actions like restoring snapshots or mounting Active Directory database files. The detection logic looks for specific command line arguments typically used in such scenarios. Command lines that contain terms like 'snapshot' and 'mount' are particularly monitored, as are commands involving 'ac', 'i', and 'ntds'. The rule also accounts for execution of the binary itself by inspecting its file path and original file name. Although ntdsutil.exe can be used for legitimate administrative tasks, the detection acknowledges the potential for its misuse in credential access attacks, such as techniques outlined in MITRE ATT&CK (T1003.003). It flags process creation events while allowing for the possibility of false positives from legitimate admin activity.