we want to check any zero-logon exploit in the environment, is there splunk search available? how to detect malicious rpc connection? thanks
Hi, we patch the AD server Aug.11 monthly rollup, we test the exploit, the exploit is not successful , but no 5827-5831 event is generated, do I need to setup windows server, so these event code will be generated
You'll need to enable the logging of the eventcodes associated with the vulnerabilities on the domain controllers. Please speak to your Windows team. Or you can take a look at this documentation.
you should monitor the above mentioned events from Domain controllers.
you can schedule this search for every 15 minutes or 30 minutes or as per your requirement.
index=<windowsindexlogs> host=<yourdomaincontroller> EventCode IN (5827,5828,5829,5830,5831)
| stats earliest(_time) as earliestTime latest(_time) as latestTime by EventCode, host
| convert ctime("*Time") timeformat="%d/%m/%Y %T"