This detection rule focuses on monitoring modifications to the Access Control List (ACL) of the AdminSDHolder object within a Windows Active Directory environment. The AdminSDHolder is a critical object as it maintains security settings for privileged group members. The rule specifically monitors for EventCode 5136 from the Windows Security Event Log, capturing any changes made to the nTSecurityDescriptor attribute. An unauthorized modification could indicate potential malicious activity, such as an attempt to establish persistence or escalate privileges by changing the ACL for sensitive accounts. This detection empowers defenders to identify unusual alterations and respond swiftly to potential security breaches in the Active Directory infrastructure.