logo

From Code to Coverage (Part 6): What netlogon.log Sees That Event 1644 Never Will

ID: 7a2cd0ec-5162-557f-a021-7c1a66be8d7c

STIX ID: report--7a2cd0ec-5162-557f-a021-7c1a66be8d7c

Feed Name: Huntress Blog

Threat Score
55/100

Date Published: 2026-06-24

Date Updated: 2026-06-25

...
...

This analysis demonstrates that LDAP Ping (cLDAP) username-enumeration can be performed anonymously against Domain Controllers and that detection depends on transport: ldapnomnom (TCP) can be attributed via Windows Filtering Platform Event 5156, while true UDP cLDAP evades 5156 and only appears in netlogon.log (which lacks source IP), creating a logging blind spot; the report validates these behaviors in lab testing, outlines detection methods (netlogon.log, Event 5156, MDI packet sensors), and recommends enabling netlogon debug, WFP auditing, MDI sensors, and correlating logs to detect and attribute such reconnaissance.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.