Hunting for DCSync Attacks When to Use - When hunting for DCSync credential theft (MITRE ATT&CK T1003.006) - After detecting Mimikatz or similar tools in the environment - During incident response involving Active Directory compromise - When monitoring for unauthorized domain replication requests - During purple team exercises testing AD attack detection Prerequisites - Windows Security Event Log forwarding enabled (Event ID 4662) - Audit Directory Service Access enabled via Group Policy - Domain Computers SACL configured on Domain Object for machine account detection - SIEM with Windows even…