drop domain controller event log · detect drsuapi getncchanges replication abuse
flags non-DC accounts with replication rights · bulk GetNCChanges clusters · off-hours DCSync-style 4662 bursts
heuristic screener · 4662 property parsing varies by export schema — GUID/name matching only · not definitive proof