diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_shadow.yml
similarity index 61%
rename from rules/windows/builtin/win_possible_dc_sync.yml
rename to rules/windows/builtin/win_possible_dc_shadow.yml
index e736e09d..f1d63af7 100644
--- a/rules/windows/builtin/win_possible_dc_sync.yml
+++ b/rules/windows/builtin/win_possible_dc_shadow.yml
@@ -1,25 +1,29 @@
-title: Possible DC Sync
+title: Possible DC Shadow
 id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
 description: Detects DC sync via create new SPN
 status: experimental
-author: Ilyas Ochkov, oscd.community
+author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
 date: 2019/10/25
 references:
     - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml
     - https://twitter.com/gentilkiwi/status/1003236624925413376
     - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
-    - https://jsecurity101.com/2019/Syncing-into-the-Shadows/
+    - https://blog.alsid.eu/dcshadow-explained-4510f52fc19d
 tags:
     - attack.credential_access
-    - attack.t1003
+    - attack.t1207
 logsource:
     product: windows
     service: security
 detection:
-    selection:
+    selection1:
         EventID: 4742
         ServicePrincipalNames: '*GC/*'
-    condition: selection
+    selection2:
+        EventID: 5136
+        LDAPDisplayName: servicePrincipalName
+        Value: 'GC/*'
+    condition: selection1 OR selection2
 falsepositives:
-    - Unkown
+    - Exclude known DCs
 level: high