alert tcp !$DC_SERVERS any -> $DC_SERVERS 389 (msg:"ATTACK [PTsecurity] DCShadow: Fake DC Creation"; flow:established, to_server; content:"|68 84 00|"; content:"CN="; distance:5; within:3; content:"CN=Servers,CN="; distance:0; content:",CN=Sites,CN=Configuration,DC="; distance:0; content:"objectClass"; distance:0; content:"server"; distance:0; reference:url, blog.alsid.eu/dcshadow-explained-4510f52fc19d; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10002559; rev:2;)