Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

search for net-logon with less false positive

cyberfan
Explorer
‎09-21-2020 11:44 PM

we want to check any zero-logon exploit in the environment, is there splunk search available? how to detect malicious rpc connection? thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

cyberfan
Explorer
‎10-05-2020 02:00 AM

Hi, we patch the AD server Aug.11 monthly rollup, we test the exploit, the exploit is not successful , but no 5827-5831 event is generated, do I need to setup windows server, so these event code will be generated

0 Karma
Reply

nadine_wondem
New Member
‎10-02-2020 01:18 PM

You'll need to enable the logging of the eventcodes associated with the vulnerabilities on the domain controllers. Please speak to your Windows team. Or you can take a look at this documentation. 

https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-debug-logging-n...

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-22-2020 12:26 AM
  • event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

you should monitor the above mentioned events from Domain controllers. 

you can schedule this search for every 15 minutes or 30 minutes or as per your requirement.

 

index=<windowsindexlogs> host=<yourdomaincontroller> EventCode IN (5827,5828,5829,5830,5831)
| stats earliest(_time) as earliestTime latest(_time) as latestTime by EventCode, host
| convert ctime("*Time") timeformat="%d/%m/%Y %T"

 

 

————————————
If this helps, give a like below.
0 Karma
Reply

cyberfan
Explorer
‎09-22-2020 02:06 AM

Hi, thanks, but we did not incorporate windows Event into splunk, how to detect ?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...