Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search for net-logon with less false positive

cyberfan
Explorer
‎09-21-2020 11:44 PM

we want to check any zero-logon exploit in the environment, is there splunk search available? how to detect malicious rpc connection? thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

cyberfan
Explorer
‎10-05-2020 02:00 AM

Hi, we patch the AD server Aug.11 monthly rollup, we test the exploit, the exploit is not successful , but no 5827-5831 event is generated, do I need to setup windows server, so these event code will be generated

0 Karma
Reply

nadine_wondem
New Member
‎10-02-2020 01:18 PM

You'll need to enable the logging of the eventcodes associated with the vulnerabilities on the domain controllers. Please speak to your Windows team. Or you can take a look at this documentation. 

https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-debug-logging-n...

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-22-2020 12:26 AM
  • event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

you should monitor the above mentioned events from Domain controllers. 

you can schedule this search for every 15 minutes or 30 minutes or as per your requirement.

 

index=<windowsindexlogs> host=<yourdomaincontroller> EventCode IN (5827,5828,5829,5830,5831)
| stats earliest(_time) as earliestTime latest(_time) as latestTime by EventCode, host
| convert ctime("*Time") timeformat="%d/%m/%Y %T"

 

 

————————————
If this helps, give a like below.
0 Karma
Reply

cyberfan
Explorer
‎09-22-2020 02:06 AM

Hi, thanks, but we did not incorporate windows Event into splunk, how to detect ?

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...