What defense recommendations are provided to detect or prevent DCSync attacks?

The primary recommendation is to monitor Windows Event ID 4662, which logs directory service object accesses. Since DCSync requires high privileges (Administrators, Domain Admins, Enterprise Admins, or domain controller computer accounts), limiting and auditing these groups is critical. Additionally, restrict replication rights to only necessary accounts. For more on DCSync exploitation and detection, refer to the Domain Penetration - DCSync article.