diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml
index 2983b2ba3..433d96d1f 100644
--- a/rules/windows/builtin/win_mal_wceaux_dll.yml
+++ b/rules/windows/builtin/win_mal_wceaux_dll.yml
@@ -4,6 +4,7 @@ description: Detects wceaux.dll access while WCE pass-the-hash remote command ex
 author: Thomas Patzke
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
     product: windows
     service: security
diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml
new file mode 100644
index 000000000..3b51b167c
--- /dev/null
+++ b/rules/windows/builtin/win_susp_ntdsutil.yml
@@ -0,0 +1,31 @@
+---
+action: global
+title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
+description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
+status: experimental
+references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+author: Thomas Patzke
+detection:
+    selection:
+        CommandLine: '*\ntdsutil.exe *'
+    condition: selection
+falsepositives: 
+    - NTDS maintenance
+level: high
+---
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+---
+logsource:
+    product: windows
+    service: security
+    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
+detection:
+    selection:
+        EventID: 4688
+
diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml
index 06e551953..1e5e8177f 100644
--- a/rules/windows/builtin/win_susp_sdelete.yml
+++ b/rules/windows/builtin/win_susp_sdelete.yml
@@ -3,6 +3,7 @@ status: experimental
 description: Detects renaming of file while deletion with SDelete tool
 author: Thomas Patzke
 references:
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx
 logsource:
diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml
index a04a64b3d..ad2264273 100644
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@@ -4,6 +4,7 @@ description: Detects PsExec service installation and execution events (service a
 author: Thomas Patzke
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
+    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 logsource:
     product: windows
 detection: