This detection rule identifies the creation of the 'ntds.dit' file, which is the Active Directory database file. The rule is particularly focused on instances where this file is created by processes that are not commonly associated with its creation, which can indicate malicious activity such as credential dumping or system compromise. The detection relies on specific log details captured by Sysmon, particularly the 'ParentImage' field. Since the basic configuration of Sysmon logs may not include this field by default, it is essential to enrich the logs to fully utilize this detection capability. The detection criteria specify that the creation event must come from certain uncommon parent processes, such as various scripting, web server, or shell processes, and must originate from specific uncommon directories. The use of this rule can help organizations detect potentially harmful actions that deviate from safe operational protocols, allowing for quicker incident response and threat mitigation.