This detection rule monitors for unauthorized modifications to Active Directory objects that can effectively grant DCSync rights to non-admin users or machine accounts. Such modifications can be achieved using the PowerView cmdlet `Add-DomainObjectAcl` to adjust the Access Control Lists (ACLs), thereby allowing an attacker to impersonate a domain controller and harvest password hashes of any user or computer within the domain. The rule is triggered by Security Event ID 5136, which signifies changes to the `ntSecurityDescriptor` attribute, coupled with the presence of specific GUIDs indicative of DCSync rights. The rule ensures that only attempts against DNS objects are considered, thereby filtering out legitimate changes to other Active Directory objects. False positives may arise from legitimate actions such as the creation of new Domain Controller accounts, for which the detection logic includes a check for regular user SIDs in the event data.