This detection rule focuses on monitoring potentially dangerous modifications to Access Control Lists (ACLs) of Active Directory (AD) group objects. Specifically, it alerts to the addition of significant permissions that could grant excessive privileges to users. The changes monitored include high-risk permissions such as 'Full Control', 'Delete subtree', 'Modify permissions', and 'Write all properties'. Such modifications can signify attempts at privilege escalation or malicious insider activity, warranting immediate investigation. The rule uses Windows Security logs, specifically Event ID 5136, to track these alterations and extracts relevant data to assess the nature of the access rights being modified. By filtering events and extracting attributes through Sophisticated parsing, the rule aims to minimize false positives and focus on genuine threats. Investigators are encouraged to act swiftly upon alert to prevent potential security breaches.