sigmahighHunting

Vulnerable Netlogon Secure Channel Connection Allowed

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

MITRE ATT&CK

defense-evasionprivilege-escalation

Detection Query

selection:
  Provider_Name: NetLogon
  EventID: 5829
condition: selection

Author

NVISO

Created

2020-09-15

Data Sources

windowssystem

Platforms

windows

References

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Tags

attack.defense-evasionattack.privilege-escalationattack.t1548

Raw Content

title: Vulnerable Netlogon Secure Channel Connection Allowed
id: a0cb7110-edf0-47a4-9177-541a4083128a
status: test
description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
references:
    - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
author: NVISO
date: 2020-09-15
modified: 2022-12-25
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: NetLogon  # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69}
        EventID: 5829
    condition: selection
falsepositives:
    - Unknown
level: high