diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/win_vul_cve_2020_1472.yml
new file mode 100644
index 000000000..992ca7a28
--- /dev/null
+++ b/rules/windows/builtin/win_vul_cve_2020_1472.yml
@@ -0,0 +1,23 @@
+title: Vulnerable Netlogon Secure Channel Connection Allowed
+id: a0cb7110-edf0-47a4-9177-541a4083128a
+status: experimental
+description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
+references:
+    - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
+author: NVISO
+date: 2020/09/15
+tags:
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID:
+            - 5829
+    condition: selection
+fields:
+    - SAMAccountName
+falsepositives:
+    - Unknown
+level: high