This detection rule identifies potential password spraying attacks that utilize the 'dsacls.exe' tool, which is used to check Active Directory object permissions. The rule specifically looks for the invocation of dsacls with command-line arguments typically associated with user credential enumeration, such as '/user:' and '/passwd:'. The detection logic is based on the creation of a process involving the dsacls executable, either by checking for the specific image name or the original filename. This rule is intended to alert analysts to possible abuse of this legitimate tool, as attackers may exploit it to collect information for password spraying techniques against Active Directory accounts. The identified use of dsacls in a suspicious context prompts an investigation to validate whether the activity was authorized or part of an attack sequence.