Detects a modification to the computer account's UserAccountControl flags when the SERVER_TRUST_ACCOUNT bit is set (Windows Event ID 4742). This flag is normally associated with domain controller (DC) computer accounts. While a DC promotion is legitimate in some maintenance scenarios, an unexpected change could indicate an attacker attempting to grant a computer account DC-like trust within Active Directory. The rule targets the Security event 4742, filtering for UserAccountControl values containing the 0x58 (88) bit pattern, and aggregates by Computer, TargetUserName, and EventID to show the first and last times the change occurred on each host. It provides drilldowns to view specific results and related risk context. The detection relies on endpoint telemetry (EDR) and should be ingested/mapped via CIM to normalize field names and support the Endpoint data model for richer analysis. Known false positives include legitimate DC promotions or scheduled maintenance; apply change-management or admin-approval filters to reduce noise. References include Microsoft documentation on Event 4742 and UserAccountControl manipulation.