This detection rule identifies suspicious events involving the renaming of computer accounts in Active Directory, a potential indicator of exploitation of CVE-2021-42278. Attackers may rename a computer account to mimic a domain controller's name, thus trying to escalate privileges from standard users to domain admins. Through the EQL query, the rule filters for events where a user account is renamed, indicating a specific pattern where the OldTargetUserName ends with a '$' (denoting a computer account) and the NewTargetUserName does not. With a high severity classification and a risk score of 73, this rule is crucial for monitoring Active Directory environments for possible impersonation and privilege escalation attacks. Proper setup is required for effective execution, especially for versions below 8.2, to ensure that event timestamps are correctly recorded. The rule also includes a comprehensive investigation guide that outlines steps for triage, analysis, and remediation of suspected incidents. Proposed responses to confirmed threats include isolating affected machines, reverting unauthorized changes, and escalating to incident response teams.