This detection rule aims to identify instances where the Active Directory Diagnostic Tool, ntdsutil.exe, is executed. This tool is known for its potential to perform various administrative tasks, but it can also be abused by attackers to interact with the NTDS database (NTDS.DIT) and potentially extract sensitive information or alter the state of the Active Directory. The rule leverages process creation logs to detect when ntdsutil.exe is invoked. Consequently, this rule is particularly important for detecting unauthorized actions or potential malicious activities targeting the Active Directory infrastructure. The detection is accomplished by looking for the execution of processes that end with 'ntdsutil.exe', thereby helping to mitigate risks associated with credential access attacks.