title: Failed Logon From Public IP
author: NVISO
date: 2020/05/06
description: A login from a public IP can indicate a misconfigured firewall or network
  boundary.
detection:
  SELECTION_1:
    EventID: 4625
  SELECTION_2:
    IpAddress: '*-*'
  SELECTION_3:
    IpAddress:
    - 10.*
    - 192.168.*
    - 172.16.*
    - 172.17.*
    - 172.18.*
    - 172.19.*
    - 172.20.*
    - 172.21.*
    - 172.22.*
    - 172.23.*
    - 172.24.*
    - 172.25.*
    - 172.26.*
    - 172.27.*
    - 172.28.*
    - 172.29.*
    - 172.30.*
    - 172.31.*
    - 127.*
    - 169.254.*
  SELECTION_4:
    IpAddress: ::1
  SELECTION_5:
    IpAddress:
    - fe80::*
    - fc00::*
  condition: (SELECTION_1 and  not ((SELECTION_2 or SELECTION_3 or SELECTION_4 or
    SELECTION_5)))
falsepositives:
- Legitimate logon attempts over the internet
- IPv4-to-IPv6 mapped IPs
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
level: medium
logsource:
  product: windows
  service: security
status: experimental
tags:
- attack.initial_access
- attack.persistence
- attack.t1078
- attack.t1190
- attack.t1133
ruletype: SIGMA