This detection rule identifies potential DCShadow attacks by monitoring for the creation of new Service Principal Names (SPNs) that prefix with 'GC/'. DCShadow attacks target the Active Directory (AD) domain controller allowing an attacker to manipulate AD objects by registering a malicious domain controller. The detection relies on specific event IDs generated by the Windows security logs, particularly looking for updates to the 'servicePrincipalName' attribute that could indicate a spoofed SPN, which is leveraged during such an attack. The rule combines two selection criteria: the presence of the 'GC/' substring in SPNs and specific event IDs related to changes in security object attributes. The rule also has provisions to reduce false positives by excluding known domain controllers which may generate legitimate changes.