Failed Logon From Public IP
A login from a public IP can indicate a misconfigured firewall or network boundary.
Sigma rule (View on GitHub)
1title: Failed Logon From Public IP
2id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
3status: test
4description: A login from a public IP can indicate a misconfigured firewall or network boundary.
5author: NVISO
6date: 2020/05/06
7modified: 2023/01/11
8tags:
9 - attack.initial_access
10 - attack.persistence
11 - attack.t1078
12 - attack.t1190
13 - attack.t1133
14logsource:
15 product: windows
16 service: security
17detection:
18 selection:
19 EventID: 4625
20 filter_ip_unknown:
21 IpAddress|contains: '-'
22 filter_ip_privatev4:
23 IpAddress|startswith:
24 - '10.' #10.0.0.0/8
25 - '192.168.' #192.168.0.0/16
26 - '172.16.' #172.16.0.0/12
27 - '172.17.'
28 - '172.18.'
29 - '172.19.'
30 - '172.20.'
31 - '172.21.'
32 - '172.22.'
33 - '172.23.'
34 - '172.24.'
35 - '172.25.'
36 - '172.26.'
37 - '172.27.'
38 - '172.28.'
39 - '172.29.'
40 - '172.30.'
41 - '172.31.'
42 - '127.' #127.0.0.0/8
43 - '169.254.' #169.254.0.0/16
44 filter_ip_privatev6:
45 - IpAddress: '::1' #loopback
46 - IpAddress|startswith:
47 - 'fe80::' #link-local
48 - 'fc00::' #unique local
49 condition: selection and not 1 of filter_*
50falsepositives:
51 - Legitimate logon attempts over the internet
52 - IPv4-to-IPv6 mapped IPs
53level: medium