This detection rule identifies the execution of the 'wbadmin' utility for accessing the 'NTDS.dit' file located on domain controllers. Attackers with privileges from groups such as Backup Operators can leverage 'wbadmin' to carry out credential dumping, allowing them to compromise domain credentials. The detection query focuses on the process start events where 'wbadmin.exe' is executed, particularly when it includes arguments related to recovery and the NTDS.dit file. The rule functions by monitoring various indices related to Windows events and endpoint logs, ensuring comprehensive coverage of relevant activity across integrations like Microsoft 365 Defender and CrowdStrike. Key investigation steps involve reviewing process execution details, determining the privilege level of the executing user, correlating events with other logs, and evaluating changes to the NTDS.dit file. The rule considers potential false positives arising from scheduled backups or automated recovery processes and outlines response actions, including isolating affected systems and revoking unauthorized accounts.