This detection rule identifies suspiciously high volumes of DRSGetNCChanges requests made to a Windows Domain Controller, a potential indicator of malicious activities such as credential harvesting or Active Directory enumeration (DCSync). The DCSync technique allows an attacker to simulate the replication process across domain controllers and retrieve sensitive information such as credentials. The rule triggers when a desktop device makes over 100 DRSGetNCChanges requests (GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2) within a specified timeframe. It should be noted that the detection requires the correct configuration of Windows Event ID 4662 logging. Best practices suggest blocklisting event forwarding for expected hosts to optimize performance, as legitimate Domain Controller activity is common. The rule is designed to protect against attacks associated with the FIN8 group and similar threat actors, utilizing Splunk as the logic format for processing data from Windows event logs.