The rule identifies the execution of SubInAcl, a utility from the Windows Resource Kit used for manipulating security descriptors of objects. Given its legacy nature, the presence of this utility on modern systems is unusual and can be indicative of suspicious activity. The detection leverages data from EDR agents, focusing on process executions specifically involving SubInAcl.exe. Since attackers might utilize this tool to alter EventLog access controls or circumvent security measures, any identified execution warrants thorough investigation. The rule employs a query that captures relevant execution details and contextual information such as the user and parent process associated with the execution event. By monitoring such anomalies, organizations can enhance their incident detection capabilities and respond proactively to potential threats.