This analytic rule detects the use of the "ntdsutil" tool to export the Active Directory database file (NTDS.dit), which can signify an intention to perform offline password cracking. Utilizing data from Endpoint Detection and Response (EDR) agents, the rule examines process names and their command-line arguments, focusing on statistically significant activities that include creating processes involving "ntdsutil.exe" and variations related to exporting the database. If flagged as malicious, such behavior may indicate a severe security threat, potentially enabling attackers to access and misuse sensitive credential data for unauthorized access or privilege escalation within a network.