External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Sigma rule (View on GitHub)

 1title: External Remote RDP Logon from Public IP
 2id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
 3related:
 4    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
 5      type: derived
 6status: test
 7description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
 8references:
 9    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
10    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
11author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
12date: 2023-01-19
13modified: 2024-03-11
14tags:
15    - attack.initial-access
16    - attack.credential-access
17    - attack.t1133
18    - attack.t1078
19    - attack.t1110
20logsource:
21    product: windows
22    service: security
23detection:
24    selection:
25        EventID: 4624
26        LogonType: 10
27    filter_main_local_ranges:
28        IpAddress|cidr:
29            - '::1/128'  # IPv6 loopback
30            - '10.0.0.0/8'
31            - '127.0.0.0/8'
32            - '172.16.0.0/12'
33            - '192.168.0.0/16'
34            - '169.254.0.0/16'
35            - 'fc00::/7'  # IPv6 private addresses
36            - 'fe80::/10'  # IPv6 link-local addresses
37    filter_main_empty:
38        IpAddress: '-'
39    condition: selection and not 1 of filter_main_*
40falsepositives:
41    - Legitimate or intentional inbound connections from public IP addresses on the RDP port.
42level: medium

References

Related rules

to-top