This detection rule focuses on identifying potentially malicious modifications to Active Directory (AD) Access Control Lists (ACLs). The specific event monitored is Windows Security event 5136, which pertains to changes in security descriptors of AD objects. The rule detects instances in which an object’s permissions are modified to deny access rights, particularly the ability to enumerate permissions on that object. Utilizing a robust SPL query, it extracts the old and new values of ACLs being applied and checks for any new Access Control Entries (ACEs) that may have been added. If changes indicate that a user or group has been denied rights such as 'Full Control' or 'Read permissions', the rule triggers an alert. This is indicative of potential deceptive practices aimed at obscuring malicious activity. The detection also includes various lookups to enrich the data with meaningful context, resolving identifiers to user or group names, which is essential for effective incident response. By monitoring these changes, security teams can proactively address permissions misconfigurations or insider threats.