This detection rule identifies attempts to exploit the Zerologon vulnerability (CVE-2020-1472) on Windows systems. The detection mechanism specifically alerts on events involving the Event IDs 5805 and 5723 that are indicative of potential misuse of the Netlogon protocol. The rule further narrows down the detection scope to machines with the hostname 'kali', as these are known to often utilize tools like mimikatz for various attacks, including Zerologon exploitation. By monitoring for these Event IDs alongside specific keywords (e.g., 'kali', 'mimikatz'), the rule effectively mitigates lateral movement within a network stemming from this critical exploit. This rule is crucial for defending against unauthorized access and privilege escalation attempts that could severely compromise network security. Proper configuration and timely updates to response strategies can enhance the protection provided by this rule against real-world attacks targeting the Zerologon vulnerability.