This detection rule focuses on identifying suspicious remote updates to a computer account's DnsHostName attribute in Active Directory environments, specifically when the new hostname resembles a valid domain controller's name while the subject computer is not a domain controller. Such modifications can indicate preparation for privilege escalation attacks, particularly exploiting CVE-2022-26923. The rule uses EQL to process logged events from the Windows environment, tracking changes made under specific conditions and user IDs that may signify malicious intent. Investigative steps include validating the legitimacy of changes, confirming if the new DnsHostName matches known domain controllers, and analyzing user accounts associated with the changes to uncover any compromise. This aims to mitigate the risk of unauthorized privilege escalation through vigilance in monitoring and response protocols.