58 lines
1.1 KiB
YAML
58 lines
1.1 KiB
YAML
|
|
title: Failed Logon From Public IP
|
|
author: NVISO
|
|
date: 2020/05/06
|
|
description: A login from a public IP can indicate a misconfigured firewall or network
|
|
boundary.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4625
|
|
SELECTION_2:
|
|
IpAddress: '*-*'
|
|
SELECTION_3:
|
|
IpAddress:
|
|
- 10.*
|
|
- 192.168.*
|
|
- 172.16.*
|
|
- 172.17.*
|
|
- 172.18.*
|
|
- 172.19.*
|
|
- 172.20.*
|
|
- 172.21.*
|
|
- 172.22.*
|
|
- 172.23.*
|
|
- 172.24.*
|
|
- 172.25.*
|
|
- 172.26.*
|
|
- 172.27.*
|
|
- 172.28.*
|
|
- 172.29.*
|
|
- 172.30.*
|
|
- 172.31.*
|
|
- 127.*
|
|
- 169.254.*
|
|
SELECTION_4:
|
|
IpAddress: ::1
|
|
SELECTION_5:
|
|
IpAddress:
|
|
- fe80::*
|
|
- fc00::*
|
|
condition: (SELECTION_1 and not ((SELECTION_2 or SELECTION_3 or SELECTION_4 or
|
|
SELECTION_5)))
|
|
falsepositives:
|
|
- Legitimate logon attempts over the internet
|
|
- IPv4-to-IPv6 mapped IPs
|
|
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
|
|
level: medium
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
status: experimental
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.persistence
|
|
- attack.t1078
|
|
- attack.t1190
|
|
- attack.t1133
|
|
ruletype: SIGMA
|