Detecting the Windows domain controller vulnerability? (CVE-2020-1472)

Detecting the Windows domain controller vulnerability? (CVE-2020-1472)

Microsoft has created new event ID's to help identify devices that use the vulnerable connection. Can this be added or an alert created for it?  Source: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc. Can this be added into ADAudit?

Specifically, this part:

Deploy the August 11th updates to all applicable domain controllers (DCs) in the forest, including read-only domain controllers (RODCs). After deploying this update patched DCs will:
  • Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
  • Log event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.



                New to ADSelfService Plus?