Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search for net-logon with less false positive

cyberfan
Explorer
‎09-21-2020 11:44 PM

we want to check any zero-logon exploit in the environment, is there splunk search available? how to detect malicious rpc connection? thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

cyberfan
Explorer
‎10-05-2020 02:00 AM

Hi, we patch the AD server Aug.11 monthly rollup, we test the exploit, the exploit is not successful , but no 5827-5831 event is generated, do I need to setup windows server, so these event code will be generated

0 Karma
Reply

nadine_wondem
New Member
‎10-02-2020 01:18 PM

You'll need to enable the logging of the eventcodes associated with the vulnerabilities on the domain controllers. Please speak to your Windows team. Or you can take a look at this documentation. 

https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-debug-logging-n...

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-22-2020 12:26 AM
  • event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

you should monitor the above mentioned events from Domain controllers. 

you can schedule this search for every 15 minutes or 30 minutes or as per your requirement.

 

index=<windowsindexlogs> host=<yourdomaincontroller> EventCode IN (5827,5828,5829,5830,5831)
| stats earliest(_time) as earliestTime latest(_time) as latestTime by EventCode, host
| convert ctime("*Time") timeformat="%d/%m/%Y %T"

 

 

————————————
If this helps, give a like below.
0 Karma
Reply

cyberfan
Explorer
‎09-22-2020 02:06 AM

Hi, thanks, but we did not incorporate windows Event into splunk, how to detect ?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...