This detection rule identifies potential malicious activity related to the creation and deletion of Domain Controller (DC) objects in a Windows Active Directory environment, specifically indicating a possible DCShadow attack. By analyzing the Windows Security Event Logs (EventCode 5137 for object creation and EventCode 5141 for object deletion), the rule captures instances where a DC object is created and deleted within a 30-second timeframe. This timing is critical, as the DCShadow technique enables privileged attackers to create rogue DCs to manipulate Active Directory objects and credentials. The search functionality is built on Splunk's transaction command to ensure the creation and deletion events are linked by Object Distinguished Name (ObjectDN), allowing for immediate detection of this suspicious activity. If confirmed, such activity may lead to unauthorized modifications within the Active Directory, which can compromise the security integrity of the domain.