This detection rule identifies potential unauthorized attempts to dump sensitive files such as 'NTDS.DIT' and the 'SECURITY' hive using the 'wbadmin' utility on Windows systems. By examining process creation events, the rule assesses command line parameters to flag any operations where 'wbadmin.exe' is executed with specific commands related to backup and sensitive system files. The rule utilizes specific filters to match command line patterns hinting at backup operations while focusing particularly on paths that target sensitive areas. It is crucial for security teams to investigate any alerts generated by this rule, as they can indicate possible credential access attacks. Given its scope, the rule operates with a high severity level, indicating a critical need for attention and response when triggered. However, false positives may occur during legitimate actions performed by authorized administrators, necessitating a case-by-case review during incident triage.