• Solutions
    • Managed Detection and Response (MDR)
      • Security Information and Event Management (SIEM)
      • Network Detection & Response (NDR)
      • Endpoint Detection & Response (EDR/XDR)
    • Advanced Threat Detection
    • Cyber Threat Intelligence (CTI)
    • Continuous Threat Monitoring
    • Security Orchestration, Automation, and Response (SOAR)
    • Professional Services
  • ShieldVision™
  • By Use Case
    • Security Compliance & Regulations
    • Security Architecture
    • Vulnerability Management
    • Network Monitoring
    • Email Security
    • Digital Risk
  • Industries
  • SOC
    • SOC Team
    • ShieldVision™
    • Compliance
  • Visibility Triad
  • Knowledge Center
    • Blog
    • Cybersecurity Fundamentals
    • Threat Briefs
    • Client Stories
    • Use Cases
    • Webinars
    • CISO Newsletter
  • Partners
    • Managed Service Provider (MSP)
    • Technology Partners
  • Company
    • About Lumifi
    • News & Press Releases
    • Meet the Team
    • Executive Briefing Center
    • Contact Us
    • Careers – we're hiring!
  • Talk to an Expert
  • Solutions
    Lumifi ShieldVision™
    ShieldVision is Lumifi’s proprietary technology. It is a singular, multi-tenant platform that increases interoperability between elements of the SOC visibility triad and enables clients to react to threats and breaches more effectively, resulting in fortified security environments and optimized business.
    Explore the Platform.

    Solutions

    Managed Detection & Response (MDR)
    Security Information & Event Management (SIEM)
    Network Detection & Response (NDR)
    Endpoint Detection & Response (EDR/XDR)
    Advanced Threat Detection
    Threat Hunting
    Cyber Threat Intelligence (CTI)
    Continuous Threat Monitoring
    Vulnerability ManagementSecurity Orchestration, Automation, and Response (SOAR)Professional Services

    Use Cases

    Network MonitoringEmail SecurityCloud SecurityDigital RiskSecurity & ComplianceSecurity Architecture

    Industries

    HealthcareLegalFinanceManufacturingEnergy & Utilities View All
  • SOC

    Security Operations Center

    People
    SOC TeamAnalystContentEngineeringResearch & Development
    Technology
    ShieldVision™
    Lumifi's proprietary technology
    Process
    Compliance Security Operations Center (SOC) 2 Type IINIST 800-171
  • Visibility Triad
  • Knowledge Center

    Knowledge Center

    Cybersecurity Fundamentals
    BlogThreat BriefsCase StudiesCISO NewsletterWebinars
    FEATURED RESOURCES
    Cloud Security Posture Management (CSPM) Explained: How to Address Cloud Infrastructure RisksRead More »
    Illuminating Blind Spots with the Visibility TriadRead More »
    What is SaaS Security Posture Management (SSPM) and Why is it Important?Read More »
    FEATURED THREAT CONTENT
    July 1, 2024
    MOVEit Authentication Bypass (CVE-2024-5806)
    May 7, 2024
    ToddyCat is Making Holes in your Infrastructure
    April 18, 2024
    Mitigating Risk: Understanding Vulnerabilities in the Ivanti Product Suite
    View all »
  • Partners

    Our Partners

    Managed Service Providers (MSP)Technology Partners
    SIEM
    EDR/XDR
    NDR
    Digital Risk
    Data Management
    Collect and analyze log data from every corner of your organization. Pinpoint security events and launch detailed investigations in response. Gather and correlate data from across your entire IT infrastructure to find and analyze threats with customized detection rules.
    Gain real-time insight into endpoint threats and block malicious activity before it leads to business disruption. Secure your organization’s laptops, desktops, and mobile devices with best-in-class solutions configured to counter the latest threats.
    Catch attackers after they gain entry to your network. Analyze network traffic to prevent lateral movement and leverage behavioral data to gain security insights. Eliminate blind spots in your network and catch malicious insiders before they have a chance to attack.
    Digital risk encompasses the potential harm or loss arising from cyber threats, data breaches, compliance and legal issues, and reputational risks, necessitating proactive management strategies, including the use of advanced cybersecurity tools and best practices, to safeguard organizations in the dynamic digital landscape.
    As data volumes surge, managing them within budget constraints can be challenging. Explore how our portfolio prioritizes your data in your management strategy. Gain the choice, control, and flexibility needed to navigate the tension between data growth, budgets, and resources effectively.

  • Company

    Company

    About LumifiPress Release & NewsMeet the Team
    Executive Briefing CenterContact UsCareers - We're Hiring!
    Certification

    SOC 2 Type 2

    SOC-2-Type-2 Logo
Talk to an expert
Home » Blog » Detecting Zerologon - more than event 5829

Detecting Zerologon - more than event 5829

By Elliot Anderson  |  October 19, 2020

 Zerologon basics

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Most current client machines are already (or should already) be using secured RPC without any recent published patches‚ In other words, we can "Assume" that all our current connections are using Secured RPC already.

But this is security and we don't assume. This recent patch mandates the following:

  • DC Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
  • Log event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

We need to be searching for event 5827-5831 , NOT JUST 5829, it will not log until post patching

"Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections. Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack"

Script from Microsoft for testing

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

Managing secure channel changes

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Note that February 2021 enforcement will be mandated in the scheduled patching, so with basic dashboards and reports now, we can help you find applications and machines that may need to be addressed or retired soon.

Please schedule time with Lumifi for assistance in detecting this and other concerns with your platform

By Elliot Anderson
Detecting Zerologon - more than event 5829

Topics Covered

Security Operations Center (SOC), Security Information and Event Management (SIEM), Exabeam, Network Security

Share This

Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO

Mike Hamilton, CISO of Lumifi, curates the top cybersecurity news every weekday, delivering the latest breaches, alerts, and industry developments in the Daily Blast, your go-to morning source for InfoSec updates.

Related Articles

Cloud Security Posture Management (CSPM) Explained: How to Address Cloud Infrastructure Risks

Cloud Security Posture Management (CSPM) Explained: How to Address Cloud Infrastructure Risks

Illuminating Blind Spots with the Visibility Triad

Illuminating Blind Spots with the Visibility Triad

What is SaaS Security Posture Management (SSPM) and Why is it Important?

What is SaaS Security Posture Management (SSPM) and Why is it Important?

1 2 3 4 5 6 7 8 9 10 … 132 133 134 135 136 137 138 139 140 141 Next »

📣  Announcing:

Lumifi Acquires Critical Insight

We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.

Learn More
1475 N Scottsdale Rd STE 410 
Scottsdale, AZ 85257 
877.388.4984
©2024 Lumifi Cyber
All Rights Reserved
Visit our TwitterVisit our LinkedIn

Solutions

Managed Detection & Response
Security Information & Event Management (SIEM)
Network Detection & Response (NDR)
Endpoint Detection & Response (EDR/XDR)
Advanced Threat Detection
Threat Hunting
Vulnerability Management
Cyber Threat Intelligence (CTI)
Continuous Threat Monitoring
Security Orchestration, Automation, and Response (SOAR)
Professional Services

Use cases

Security & Compliance
Security Architecture
Network MonitoringEmail Security
Digital Risk
Cloud Security
Visibility Triad
ShieldVision™

PARTNERS

Technology Partners
Managed Service Providers

KNowledge Center

Cybersecurity Fundamentals
Blogs
Threat Briefs 
Client Stories
Webinars

COMPANY

About 
Meet the Team
Careers
Press Releases & News
Contact Us
Privacy PolicyTerms & ConditionsSitemapSafeHotlineLumifi Trust Center
closeprintfacebookenvelopelinkedinangle-downxingpaper-planepinterest-pwhatsappcommentingx-twittermagnifiercrossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram