This detection rule focuses on identifying potentially suspicious activities associated with the DSInternals PowerShell module, which provides access to several sensitive internal features of Active Directory and Azure Active Directory. Utilizers of this module can perform operations like dumping DPAPI backup keys and manipulating NTDS.DIT files — actions that could be classified as malicious or unauthorized in a secure environment. The rule specifies a range of PowerShell cmdlets associated with these potentially harmful activities, including commands for managing Active Directory objects, retrieving sensitive key material, and performing password audits. It is crucial that Script Block Logging is enabled for this detection to work effectively. Importantly, legitimate administrative and audit activities may trigger this rule; therefore, the context of usage is essential for proper evaluation of alerts raised by this detection rule.