This detection rule monitors for the unauthorized creation of DNS-named records within Active Directory Integrated DNS (ADIDNS), which is susceptible to exploitation through Dynamic Spoofing attacks. Attackers may leverage the default permissions granted to 'Authenticated Users' to manipulate DNS records, enabling them to redirect traffic to malicious destinations. Specifically, this rule identifies events corresponding to the creation of DNS nodes (event code 5137) while filtering out legitimate system accounts from triggering alerts. The rule requires the 'Audit Directory Service Changes' logging policy to be enabled for both success and failure outcomes to function effectively. It emphasizes the importance of robust security postures around Active Directory and suggests various investigative procedures and remediation actions to address any detected threats.