This rule targets the detection of suspicious commands related to the Active Directory database file 'ntds.dit', which may indicate malicious activity aimed at credential dumping and exfiltration. Adversaries often use tools like `ntdsutil` to manipulate or copy the ntds.dit file, which contains sensitive credential information. By monitoring for specific command patterns that include keywords such as 'ntdsutil', 'ntds', 'create', 'copy', or various combinations indicating attempts to activate, create, or copy instances of the ntds.dit file, this rule helps in identifying unauthorized access or manipulation attempts. It utilizes Windows Sysmon data to track process creation events related to these actions. The rule aggregates the findings over time and presents the statistics that may help reveal potential threats related to credential access, particularly techniques related to credential dumping from Active Directory.