While investigating LDAP filters and attributes, I completely missed "SDFlags" in my Event 1644 logs. When I finally noticed it, the investigation led to nTSecurityDescriptor, attack path discovery, and a high-confidence detection signature.