Event 5805 expected behavior with Secura Script

[ngc5128Centaurus]

Hi Guys, This is not an issue, more a question. I used your script to test updated Domain Controller and it works well. I also test it on unpatched DC.

On both case I have triggered 2 logs Event 5805 for each script launched. Is it what is expected ?

Can i use event Log 5805 + my DC name appears in the message ("the from Computer") of the log to conclude to a Zerologon attack ?

Moreover i found a small difference between a patched and not patched:

• In unpatched case the 2 event are the same.
• In patched case in one of the event i got the attack computer in the message of the event (and not the DC)

My test with a patched result is: 2000 requests from the script resulting on 2000 packets TCP/port 135 + 2000 packets TCP/65xxx on Firewall (the RPC calls) On the DC event log I can find 2 5805 events:

• 2020-11-10T09:30:12.000Z MyDC1234.ADS.LOCAL AttkCp888 5805 The session setup from the computer AttkCp888
  failed to authenticate. The following error occurred: \r\nAccess is denied.
• 2020-11-10T09:30:12.000Z MyDC1234.ADS.LOCAL mydc1234 5805 The session setup from the computer mydc1234 failed to authenticate. The following error occurred: \r\nAccess is denied.

Now when I take a non patched DC:
Success! DC can be fully compromised by a Zerologon attack.

• 2020-11-10T09:42:23.000Z MyDC1234.ADS.LOCAL mydc1234 5805 The session setup from the computer mydc1234 failed to authenticate. The following error occurred: \r\nAccess is denied.
• 2020-11-10T09:42:23.000Z MyDC1234.ADS.LOCAL mydc1234 5805 The session setup from the computer mydc1234 failed to authenticate. The following error occurred: \r\nAccess is denied.