This detection rule targets the Active Directory (AD) environment, specifically focusing on an important event related to the addition of access-control lists (ACLs) that are necessary for executing a DCShadow attack. The DCShadow technique enables adversaries to impersonate a Domain Controller (DC) and modify the AD objects, including privileges without detection. The rule identifies event ID 5136 from Windows Security logs which indicates when an ACL is modified, particularly tracking changes in the 'domainDNS' object class. The search utilizes various field extractions and lookups, analyzing the changes in extended rights associated with AD objects, and checks if specific rights related to replication and control access are granted. The rule aims to filter out potentially malicious modifications to the AD environment, enhancing visibility around unauthorized privilege escalations that might facilitate persistence threats.