This detection rule identifies abnormal application behaviors related to the manipulation of Active Directory Schema cache files, specifically focusing on applications that connect and create ADSI (Active Directory Service Interfaces) objects for LDAP queries. By monitoring Sysmon Event Code 11, it traces changes to schema cache files, crucially located in %LOCALAPPDATA%\Microsoft\Windows\SchCache and %systemroot%\SchCache. The detection is essential for identifying potential malicious activity, as ransomware and similar threats often employ these ADSI APIs to extract sensitive directory information, which could facilitate unauthorized access and lateral movements within the network. The rule excludes benign processes like mmc.exe that may trigger false positives. It integrates with Splunk’s capabilities for threat hunting and incident response.