The ZeroLogon vulnerability (CVE-2020-1472) is a critical security flaw that enables an attacker to impersonate a Domain Controller and, ultimately, to change the password of the computer account of that Domain Controller. This capability allows a malicious actor to gain unauthorized access and pull credentials from the Domain Controller, leading to comprehensive compromise of Active Directory environments. The detection rule centers on monitoring specific Windows Event IDs, particularly Event ID 4742, which indicates that a security ID has been changed. The rule looks for occurrences of logins under the ‘ANONYMOUS LOGON’ associated with the ‘NT AUTHORITY’ account, filtering for events related to Domain Controllers. The Splunk logic aggregates the findings over time and presents a table of the relevant activity, including timestamps, hosts, users, and the affected Domain. This detection strategy is pivotal for early identification of exploitation attempts leveraging this vulnerability, which has been targeted by notable threat actors such as APT15 and APT29/Nobelium, among others.