SOC Event Lookup
Event ID 5828NetlogonP2

Windows Event ID 5828: Netlogon denied a vulnerable secure channel connection (trust)

Netlogon Event ID 5828 records that a domain controller denied a vulnerable Netlogon secure channel connection using a trust account.

Applicable version
Windows Server 2008 R2 and later
Last reviewed
2026-07-13

Trigger Scenarios

Microsoft documents this event for CVE-2020-1472 Netlogon secure channel enforcement when a vulnerable trust-account connection is denied.

Key Fields

Trust Name

The trust account name associated with the denied vulnerable Netlogon secure channel connection.

Trust Target

The target trust relationship affected by the denied connection.

Client IP Address

The source IP address for the denied vulnerable trust-account connection and the first pivot for network containment.

Common False Positives

  • Unpatched trusted-domain infrastructure can trigger denials after enforcement without an active exploit attempt.
  • Legacy trusts and third-party domain controllers require remediation planning, but should not be silently suppressed.

Related Events

MITRE ATT&CK Mapping

  • T1210Exploitation of Remote Services

Detection Notes

Use threshold=1 denied vulnerable trust-account connection on a domain controller. Microsoft documents Event 5828 as a denied vulnerable Netlogon secure channel connection using a trust account and includes Trust Name, Trust Target, and Client IP Address; that condition is relevant to T1210 Exploitation of Remote Services because Zerologon abuses Netlogon secure channel behavior. Validate the Client IP Address against domain controller and trust partner inventories, then check for 5831 allow-list activity before treating it as legacy breakage.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 5828
| project TimeGenerated, Computer, Account
Splunk SPL
index=wineventlog EventCode=5828 | table _time, host
Sample Log
EventID: 5828
Account Type: Trust Account
Trust Name: CHILD$
Trust Target: child.corp.example
Client IP Address: 10.10.20.15

Source