This threat detection rule identifies potential exploitation attempts associated with CVE-2021-42287, a vulnerability in the Microsoft Windows Active Directory. Attackers may leverage certain permissions to create a computer object that allows the manipulation of various attributes, particularly the ServicePrincipalName. The exploitation is facilitated by the fact that the attacker becomes the CREATOR OWNER of the object, thus gaining elevated permissions and the ability to make unauthorized changes. The rule specifically targets events logged by the Windows Directory Services, particularly EventID 16990 and 16991, as indicators of this type of malicious activity. To be effective, the detection relies on the proper logging of these events on Windows systems. In the event of a valid detection, it suggests that an unauthorized manipulation of Active Directory objects is occurring, which should be investigated further.