This analytic detection rule monitors for suspicious Kerberos Ticket Granting Ticket (TGT) requests that may exploit vulnerabilities identified as CVE-2021-42278 and CVE-2021-42287. By utilizing Windows Event Log entries such as Event ID 4781 (involving account name changes) and Event ID 4768 (related to TGT requests), the rule identifies events where a renamed computer account requests a TGT shortly after the renaming occurs. This behavior is concerning because it may reflect an attempt to escalate privileges by impersonating a Domain Controller, potentially allowing attackers to gain higher access levels within the domain. If such activities are confirmed as malicious, they may lead to severe control over the domain environment. The rule involves a specific search query that detects these sequences by looking for immediate TGT requests following account name changes and applies a transaction operator to group these events. This detection requires the implementer to ensure they are collecting relevant domain controller and Kerberos event logs and have the necessary audit settings enabled.