This detection rule focuses on identifying potentially malicious access or attempts to copy the Active Directory domain database, specifically targeting the 'ntds.dit' file. Adversaries may seek to exploit this file to gather sensitive credential information or inventory of domain members, which can include users, devices, and their respective access rights. The detection logic is constructed for execution in a Splunk environment, capturing specific Windows Event IDs that relate to PowerShell activities. It uses the regex to isolate processes that reference 'ntds.dit', which can indicate unauthorized access attempts. The technique is linked to known threat actor groups such as Mustang Panda and Volt Typhoon. This detection aligns with wider credential access tactics, specifically under the Tactics and Techniques framework for credential dumping perspectives. Furthermore, the rule collects relevant event fields such as time, host, user, and process details for comprehensive logging analysis.