Detectionhightest

Vulnerable Netlogon Secure Channel Connection Allowed

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

NVISOCreated Tue Sep 15Updated Sun Dec 25a0cb7110-edf0-47a4-9177-541a4083128awindows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: NetLogon  # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69}
        EventID: 5829
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

support.microsoft.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0004 · Privilege Escalation

Techniques

T1548 · Abuse Elevation Control Mechanism

Rule Metadata

Rule ID

a0cb7110-edf0-47a4-9177-541a4083128a

Status

test

Level

high

Type

Detection

Created

Tue Sep 15

Modified

Sun Dec 25

Author

NVISO

Path

rules/windows/builtin/system/netlogon/win_system_vul_cve_2020_1472.yml

Raw Tags

attack.defense-evasionattack.privilege-escalationattack.t1548

View on GitHub