How to detect True positive for event id 5829 Zerologon.

Aamir Bin Jamal 1 Reputation point
2020-09-27T15:31:12.567+00:00

Hi

We have enabled the patches for Aug 2020 for Zero logon , after that I am getting High number of events from event id 5829.
Not able to detect the true positive. Its flooding in SIEM .

Event Name : The Netlogon service allowed a vulnerable Netlogon secure channel connection

In event I can able to see the logs categeory system and subcategeory Netlogon and Source is DC.

Need to know how to detect true positive out of it.

Regards
Admin

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Anonymous
    2020-09-27T15:44:15.163+00:00

    On the problem member you can do from PowerShell.
    Test-ComputerSecureChannel
    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Anonymous
    2020-09-28T05:54:28.32+00:00

    Hello @Aamir Bin Jamal ,

    Thank you for posting here.

    Based on the description, do we want to find the device accounts or trust accounts through Event ID 5829?

    If so, we can see as below based on the link below.
    28578-58291.png

    How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    If anything I misunderstood you, please correct me.

    Thank you for your understanding.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  3. Aamir Bin Jamal 1 Reputation point
    2020-09-29T14:56:32.073+00:00

    Hi Daisy and Patrick

    Thanks for your response its helpful .

    @Daisy : I am also getting the same set of fields as you mentioned here .

    But the information is not much to analyze the true positive . I am getting same SAM Account name and DC name in all my events.

    Can you please help me in correlating this alert with others to get correct results.

    regards
    Admin


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.