From db810b342f7ac7d3c4f36caecb7d51702bea60e2 Mon Sep 17 00:00:00 2001
From: Rettila <hosni.mribah@ensi-uma.tn>
Date: Tue, 5 May 2020 16:48:39 +0200
Subject: [PATCH] Delete win_possible_dc_shadow.yml

---
 .../windows/builtin/win_possible_dc_shadow.yml | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 rules/windows/builtin/win_possible_dc_shadow.yml

diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/win_possible_dc_shadow.yml
deleted file mode 100644
index cbbe8e531..000000000
--- a/rules/windows/builtin/win_possible_dc_shadow.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-title: Potential DCShadow
-description: Monitors SPN modifications to detect DCShadow behavior.
-author: Chakib Gzenayi (@Chak92), Hosni Mribah
-tags:
-    - attack.defense_evasion
-    - attack.t1207
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 5136
-        LDAP_Display_Name: servicePrincipalName
-        Value: 'GC/*'
-    condition: selection
-falsepositives:
-    - Exclude known DCs
-level: high