This detection rule identifies potential alterations to the nTSecurityDescriptor attribute of Active Directory domain objects, which can indicate malicious attempts to establish a backdoor for credential harvesting via DCSync rights. DCSync attacks allow an attacker to retrieve user and computer account hashes without direct access to the domain controllers, making the review of these modifications critical. The rule specifically targets changes associated with event code 5136 that involve specific GUIDs linked to replication permissions. The purpose of this is to flag suspicious behaviors that could signify attackers are taking steps to exploit Active Directory to regain or expand their credential access capabilities.