This detection rule identifies the execution of the 'ntdsutil.exe' command line utility, which is often misused by adversaries to dump sensitive credentials from the Active Directory database (ntds.dit). By monitoring the processes that invoke this executable, analysts can catch potential credential dumping activities that threaten the integrity of the organization's user accounts. The rule is based on capturing Sysmon events where 'ntdsutil' is mentioned, utilizing a statistics aggregation to track event occurrences by host and user. The rule is particularly tied to multiple threat actor groups known for employing techniques like credential dumping, emphasizing its relevance in detecting advanced persistent threat (APT) activities, including those attributed to APT29 (Nobelium) and others. The references provided in the rule offer additional context to understanding the utility's capabilities and its relevant attack vectors. Given its role in credential access, continuous monitoring of 'ntdsutil.exe' executions is crucial for identifying unauthorized access attempts within the Windows environment.