{
  "id": "5827",
  "source": "windows_security",
  "category": "Netlogon",
  "name": "Netlogon denied a vulnerable secure channel connection (machine)",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Netlogon Event ID 5827 records that a domain controller denied a vulnerable Netlogon secure channel connection from a machine account.",
  "trigger_scenarios": "Microsoft documents this event for CVE-2020-1472 Netlogon secure channel enforcement when a vulnerable machine-account connection is denied.",
  "key_fields": [
    {
      "field": "Machine SamAccountName",
      "explanation": "The machine account whose vulnerable secure channel connection was denied."
    },
    {
      "field": "Domain / Account Type",
      "explanation": "Identifies the domain context and account category for the denied Netlogon connection."
    },
    {
      "field": "Machine Operating System / Build / Service Pack",
      "explanation": "Version fields provided in the Microsoft event message and used to verify whether the client is patched or a non-compliant device."
    }
  ],
  "false_positives": [
    "Unpatched or third-party Netlogon clients can trigger denials after enforcement without being active exploitation.",
    "Legacy appliances may require vendor remediation and temporary allow-list review, but the vulnerable state is real."
  ],
  "related_event_ids": [
    "5828",
    "5830",
    "5831"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1210",
      "technique_name": "Exploitation of Remote Services"
    }
  ],
  "detection_notes": "Use threshold=1 denied vulnerable machine account connection on a domain controller. Microsoft documents Event 5827 as a denied vulnerable Netlogon secure channel connection from a machine account during CVE-2020-1472 enforcement; that condition is relevant to T1210 Exploitation of Remote Services because Zerologon abuses Netlogon secure channel behavior. Triage Machine SamAccountName, Domain, Account Type, Machine Operating System Build, and any corresponding 5830 allow-list events before deciding whether this is exploitation or an unpatched device.",
  "kql_snippet": "SecurityEvent\n| where EventID == 5827\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=5827 | table _time, host",
  "sample_log": "EventID: 5827\nMachine SamAccountName: LEGACY-NAS$\nDomain: CORP\nAccount Type: Workstation Trust\nMachine Operating System Build: 7601",
  "source_url": "https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e",
  "route": "/windows-events/5827/",
  "canonical_url": "https://soceventlookup.com/windows-events/5827/",
  "json_url": "/api/events/windows-security/5827.json"
}
