Detection rules › By eventMicrosoft-Windows-Security-Auditing event 466217 detection rules reference this event. View event page.Sigma (7)Active Directory Replication from Non Machine Account severity critical T1003.006 AD Object WriteDAC Access severity critical T1222.001 DPAPI Domain Backup Key Extraction severity high T1003.004 Mimikatz DC Sync severity high T1003.006 Potential AD User Enumeration From Non-Machine Account severity medium T1087.002 Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation severity high T1557.003 WMI Persistence - Security severity medium T1546.003 Elastic (5)Access to a Sensitive LDAP Attribute T1003, T1078, T1078.002, T1213, T1552, T1552.004 FirstTime Seen Account Performing DCSync T1003, T1003.006, T1078, T1078.002 Potential Credential Access via DCSync T1003, T1003.006, T1078, T1078.002 Potential Kerberos Coercion via DNS-Based SPN Spoofing T1187, T1557, T1557.001 Suspicious Access to LDAP Attributes T1069, T1069.002, T1087, T1087.002, T1482 Splunk (5)Windows AD Abnormal Object Access Activity T1087.002 Windows AD Privileged Object Access Activity T1087.002 Windows AD Replication Request Initiated by User Account T1003.006 Windows AD Replication Request Initiated from Unsanctioned Location T1003.006 Windows Kerberos Coercion via DNS T1071.004, T1187, T1557.001