{
  "id": "5828",
  "source": "windows_security",
  "category": "Netlogon",
  "name": "Netlogon denied a vulnerable secure channel connection (trust)",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Netlogon Event ID 5828 records that a domain controller denied a vulnerable Netlogon secure channel connection using a trust account.",
  "trigger_scenarios": "Microsoft documents this event for CVE-2020-1472 Netlogon secure channel enforcement when a vulnerable trust-account connection is denied.",
  "key_fields": [
    {
      "field": "Trust Name",
      "explanation": "The trust account name associated with the denied vulnerable Netlogon secure channel connection."
    },
    {
      "field": "Trust Target",
      "explanation": "The target trust relationship affected by the denied connection."
    },
    {
      "field": "Client IP Address",
      "explanation": "The source IP address for the denied vulnerable trust-account connection and the first pivot for network containment."
    }
  ],
  "false_positives": [
    "Unpatched trusted-domain infrastructure can trigger denials after enforcement without an active exploit attempt.",
    "Legacy trusts and third-party domain controllers require remediation planning, but should not be silently suppressed."
  ],
  "related_event_ids": [
    "5827",
    "5830",
    "5831"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1210",
      "technique_name": "Exploitation of Remote Services"
    }
  ],
  "detection_notes": "Use threshold=1 denied vulnerable trust-account connection on a domain controller. Microsoft documents Event 5828 as a denied vulnerable Netlogon secure channel connection using a trust account and includes Trust Name, Trust Target, and Client IP Address; that condition is relevant to T1210 Exploitation of Remote Services because Zerologon abuses Netlogon secure channel behavior. Validate the Client IP Address against domain controller and trust partner inventories, then check for 5831 allow-list activity before treating it as legacy breakage.",
  "kql_snippet": "SecurityEvent\n| where EventID == 5828\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=5828 | table _time, host",
  "sample_log": "EventID: 5828\nAccount Type: Trust Account\nTrust Name: CHILD$\nTrust Target: child.corp.example\nClient IP Address: 10.10.20.15",
  "source_url": "https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e",
  "route": "/windows-events/5828/",
  "canonical_url": "https://soceventlookup.com/windows-events/5828/",
  "json_url": "/api/events/windows-security/5828.json"
}
