The Mimikatz DC Sync detection rule is designed to identify unauthorized attempts to access Active Directory Domain Controller (DC) replication features, specifically through the use of the Mimikatz tool. This approach leverages security event log entries, particularly those with Event ID 4662, which is generated when specific access rights are requested on directory objects. The rule focuses on detecting certain properties associated with these events, such as replicating directory changes, which are indicative of a DC Sync attack. To minimize false positives, the rule incorporates filters to exclude legitimate administrative activities, particularly those associated with Azure AD Connect and Domain Admin accounts. The severity level for this rule is set to high due to the critical nature of unauthorized access attempts to Active Directory information.