Vulnerable Netlogon Secure Channel Connection Allowed

Apr 14, 2023 · attack.privilege_escalation attack.t1548 ·

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

Sigma rule (View on GitHub)

 1title: Vulnerable Netlogon Secure Channel Connection Allowed
 2id: a0cb7110-edf0-47a4-9177-541a4083128a
 3status: test
 4description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
 5references:
 6    - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
 7author: NVISO
 8date: 2020/09/15
 9modified: 2022/12/25
10tags:
11    - attack.privilege_escalation
12    - attack.t1548
13logsource:
14    product: windows
15    service: system
16detection:
17    selection:
18        Provider_Name: NetLogon  # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69}
19        EventID: 5829
20    condition: selection
21falsepositives:
22    - Unknown
23fields:
24    - SAMAccountName
25level: high

References

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - Microsoft Support

Learn how to update DCs, and address vulnerable connections and non-compliant devices, to protect against the Netlogon vulnerability CVE-2020-1472

Read More

Vulnerable Netlogon Secure Channel Connection Allowed

Sigma rule (View on GitHub)

References

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 - Microsoft Support

Related rules