This detection rule identifies potential backdoor scenarios in Active Directory (AD) where a user or computer account can be controlled without the need for the legitimate credentials. It primarily focuses on monitoring certain security event IDs that indicate modifications to user account properties, particularly those related to delegation and impersonation capabilities. The rule operates by analyzing events generated when an account is modified (EventID 4738), especially changes to attributes like 'msDS-AllowedToDelegateTo' and 'servicePrincipalName'. A combination of filters ensures that only significant changes are captured, helping to highlight suspicious configurations that could enable unauthorized access or control over resources. The implemented logic checks for the presence of delegation configurations that should not be empty or null, thereby flagging unexpected setups. This detection aids in improving the security posture by ensuring that only legitimate and authorized accounts can assume additional permissions, particularly in environments where user impersonation is possible through misconfigured settings.