This detection rule targets the creation, deletion, or modification of the 'ESX Admins' group within Active Directory, signaling potential exploitation attempts related to the VMware ESXi Active Directory Integration Authentication Bypass vulnerability designated as CVE-2024-37085. The rule utilizes Windows Security Event codes 4727, 4730, and 4737 to log relevant events that affect the specified group, allowing for identification of unauthorized actions by monitoring these changes. The underlying Splunk search aggregates events based on their codes and provides useful metadata such as timestamps and event descriptions to facilitate further investigation. Given the vulnerability's impact, this rule plays a critical role in enhancing organizational defenses against targeted attacks on the ESXi environment.