This detection rule identifies instances where a user account has initiated an Active Directory (AD) replication request, which may suggest the occurrence of a DCSync attack—a method used by attackers to extract password hashes of user accounts within a domain. The rule leverages EventCode 4662 from the Windows Security Event Log and analyzes specific object types and access permissions to pinpoint potential malicious activity. Given that successfully executing a DCSync attack requires privileged access, this rule is critical for early detection of unauthorized access attempts that could lead to privilege escalation and domain compromise. The search logic filters for replication permissions and excludes legitimate system accounts, indicating that any violations can be escalated for further investigation.