Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Sigma rule (View on GitHub)
1title: Failed Logon From Public IP
2id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
3status: test
4description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
5references:
6 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
7author: NVISO
8date: 2020-05-06
9modified: 2024-03-11
10tags:
11 - attack.initial-access
12 - attack.persistence
13 - attack.t1078
14 - attack.t1190
15 - attack.t1133
16logsource:
17 product: windows
18 service: security
19detection:
20 selection:
21 EventID: 4625
22 filter_main_ip_unknown:
23 IpAddress|contains: '-'
24 filter_main_local_ranges:
25 IpAddress|cidr:
26 - '::1/128' # IPv6 loopback
27 - '10.0.0.0/8'
28 - '127.0.0.0/8'
29 - '172.16.0.0/12'
30 - '192.168.0.0/16'
31 - '169.254.0.0/16'
32 - 'fc00::/7' # IPv6 private addresses
33 - 'fe80::/10' # IPv6 link-local addresses
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Legitimate logon attempts over the internet
37 - IPv4-to-IPv6 mapped IPs
38level: medium
References
-
Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel