Windows Event ID 5828: Netlogon denied a vulnerable secure channel connection (trust)
Netlogon Event ID 5828 records that a domain controller denied a vulnerable Netlogon secure channel connection using a trust account.
- Applicable version
- Windows Server 2008 R2 and later
- Last reviewed
- 2026-07-13
Trigger Scenarios
Microsoft documents this event for CVE-2020-1472 Netlogon secure channel enforcement when a vulnerable trust-account connection is denied.
Key Fields
Trust Name
The trust account name associated with the denied vulnerable Netlogon secure channel connection.
Trust Target
The target trust relationship affected by the denied connection.
Client IP Address
The source IP address for the denied vulnerable trust-account connection and the first pivot for network containment.
Common False Positives
- Unpatched trusted-domain infrastructure can trigger denials after enforcement without an active exploit attempt.
- Legacy trusts and third-party domain controllers require remediation planning, but should not be silently suppressed.
Related Events
- 5827 - Netlogon denied a vulnerable secure channel connection (machine)
- Event ID 5830Content pending
- Event ID 5831Content pending
MITRE ATT&CK Mapping
- T1210Exploitation of Remote Services
Detection Notes
Use threshold=1 denied vulnerable trust-account connection on a domain controller. Microsoft documents Event 5828 as a denied vulnerable Netlogon secure channel connection using a trust account and includes Trust Name, Trust Target, and Client IP Address; that condition is relevant to T1210 Exploitation of Remote Services because Zerologon abuses Netlogon secure channel behavior. Validate the Client IP Address against domain controller and trust partner inventories, then check for 5831 allow-list activity before treating it as legacy breakage.
SecurityEvent
| where EventID == 5828
| project TimeGenerated, Computer, Accountindex=wineventlog EventCode=5828 | table _time, hostEventID: 5828
Account Type: Trust Account
Trust Name: CHILD$
Trust Target: child.corp.example
Client IP Address: 10.10.20.15