This detection rule targets suspicious activity related to the invocation of the Get-ADDBAccount script, which is associated with reading the ntds.dit file. The ntds.dit file contains sensitive Active Directory information, including user credential data. In this context, the script is flagged due to its potential misuse in bypassing typical credential dumping tools, such as Mimikatz, thereby allowing unauthorized access to user credentials. The rule identifies instances where the script is called with specific keywords, indicating an attempt to manipulate or read sensitive data without conventional methods. It is important for organizations to monitor such activities closely since they pose a significant security risk due to the sensitive nature of the information accessed.