External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Sigma rule (View on GitHub)
1title: External Remote SMB Logon from Public IP
2id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
3related:
4 - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
5 type: derived
6status: test
7description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
8references:
9 - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
10 - https://twitter.com/Purp1eW0lf/status/1616144561965002752
11author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
12date: 2023/01/19
13modified: 2024/03/11
14tags:
15 - attack.initial_access
16 - attack.credential_access
17 - attack.t1133
18 - attack.t1078
19 - attack.t1110
20logsource:
21 product: windows
22 service: security
23detection:
24 selection:
25 EventID: 4624
26 LogonType: 3
27 filter_main_local_ranges:
28 IpAddress|cidr:
29 - '::1/128' # IPv6 loopback
30 - '10.0.0.0/8'
31 - '127.0.0.0/8'
32 - '172.16.0.0/12'
33 - '192.168.0.0/16'
34 - '169.254.0.0/16'
35 - 'fc00::/7' # IPv6 private addresses
36 - 'fe80::/10' # IPv6 link-local addresses
37 filter_main_empty:
38 IpAddress: '-'
39 condition: selection and not 1 of filter_main_*
40falsepositives:
41 - Legitimate or intentional inbound connections from public IP addresses on the SMB port.
42level: high
References
-
If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authen...
Read More -
Related rules
- External Remote RDP Logon from Public IP
- External Remote Service Logon from Public IP
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Huawei BGP Authentication Failures