The detection rule identifies the execution of the Ditsnap tool, a utility designed for inspecting the Active Directory database file (ntds.dit). This tool can be potentially used by malicious actors to extract sensitive information such as user credentials from the Active Directory. The detection logic focuses on monitoring process creation activities on Windows systems, specifically targeting the Ditsnap executable (ditsnap.exe). The rule triggers when it finds instances where this executable is initiated, either through its name or command line arguments that include the executable name. The possibility of false positives exists, particularly when legitimate administrators use the tool for accepted administrative practices. However, due to the risk associated with unauthorized credential access, this rule is categorized as high severity. Admins and security operations teams are encouraged to use this detection rule as part of their threat detection strategy to monitor for potential credential access attacks.