The detection rule titled 'Detect Zerologon via Zeek' is designed to identify potential exploitation attempts of the Zerologon vulnerability (CVE-2020-1472) by analyzing Zeek DCE-RPC activity. This vulnerability allows unauthorized access to domain controllers, which can lead to severe consequences such as data breaches, ransomware attacks, or complete IT infrastructure compromise. The rule focuses on specific RPC operations indicative of Zerologon exploitation: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. Each of these operations signifies progressive stages in authentication and domain manipulation attempts. Leveraging the data via Splunk, the rule employs a query that groups RPC operations by source and destination IP addresses over a time window of 5 minutes, ensuring that all three crucial operations are represented with appropriate counts. If all conditions are met, especially with an elevated number of authentication attempts, this signals a potential Zerologon attack that requires immediate investigation. Users need to ingest Zeek DCE-RPC data formatted in JSON into their Splunk environment for the detection to function effectively. This analytic thus serves as a critical protective measure against the exploitation of a well-known security flaw that poses significant risks to an organization's cybersecurity posture.