This analytic rule identifies unauthorized Active Directory (AD) replication requests that originate from locations not sanctioned within the domain environment. It focuses specifically on Windows Event Log entries with Event Code 4662, which indicates a modification or access attempt to directory objects. The rule filters results by excluding known domain controller IP addresses while looking for actions that involve handle creation to 'domainDNS' and specific permission checks, including 'Replicating Directory Changes All'. This is relevant for detecting potential DCSync attacks, whereby an attacker with elevated privileges attempts to obtain password hashes from user accounts across the domain. Detecting such unauthorized replication requests is crucial, as they can result in a significant security incident with the potential for full domain compromises.