A Detection Researcher Mindset — DCSYNC T1003.006

**Executive summary:** This document explains the DCSync technique in Active Directory, describing normal domain controller replication behavior, how to distinguish legitimate vs suspicious DCSync activity (it should originate from domain controllers), and emphasizing that very high privileges (domain admin / extended rights) are required; it recommends limiting accounts and systems with those rights to reduce risk.