External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Sigma rule (View on GitHub)

 1title: External Remote RDP Logon from Public IP
 2id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
 3related:
 4    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
 5      type: derived
 6status: test
 7description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
 8references:
 9    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
10    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
11author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
12date: 2023/01/19
13modified: 2023/03/16
14tags:
15    - attack.initial_access
16    - attack.credential_access
17    - attack.t1133
18    - attack.t1078
19    - attack.t1110
20logsource:
21    product: windows
22    service: security
23detection:
24    selection:
25        EventID: 4624
26        LogonType: 10
27    filter_ipv4:
28        IpAddress|cidr:
29            - '127.0.0.0/8'
30            - '10.0.0.0/8'
31            - '172.16.0.0/12'
32            - '192.168.0.0/16'
33    filter_ipv6:
34        - IpAddress: '::1' # IPv6 loopback
35        - IpAddress|startswith:
36              - 'fe80:'  # link-local address
37              - 'fc'  # private address range fc00::/7
38              - 'fd'  # private address range fc00::/7
39    filter_empty:
40        IpAddress: '-'
41    condition: selection and not 1 of filter_*
42falsepositives:
43    - Legitimate or intentional inbound connections from public IP addresses on the RDP port.
44level: medium

References

Related rules

to-top