From 299fe649a284499a7f75fc26a7eec2fb5591a1ee Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 22 Jan 2023 21:14:10 +0100
Subject: [PATCH] split the rule by LogonType

---
 ..._successful_external_remote_rdp_login.yml} | 11 +++---
 ...y_successful_external_remote_smb_login.yml | 37 +++++++++++++++++++
 2 files changed, 43 insertions(+), 5 deletions(-)
 rename rules/windows/builtin/security/{win_security_successful_external_remote_svc_login.yml => win_security_successful_external_remote_rdp_login.yml} (85%)
 create mode 100644 rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml

diff --git a/rules/windows/builtin/security/win_security_successful_external_remote_svc_login.yml b/rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml
similarity index 85%
rename from rules/windows/builtin/security/win_security_successful_external_remote_svc_login.yml
rename to rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml
index 9544f3e4c..75918cc13 100644
--- a/rules/windows/builtin/security/win_security_successful_external_remote_svc_login.yml
+++ b/rules/windows/builtin/security/win_security_successful_external_remote_rdp_login.yml
@@ -1,5 +1,8 @@
-title: External Remote Service Logon from Public IP
+title: External Remote RDP Logon from Public IP
 id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
+related:
+    - id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
+      type: derived
 status: experimental
 description: Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.
 references:
@@ -19,9 +22,7 @@ logsource:
 detection:
     selection:
         EventID: 4624
-        LogonType:
-            - 3 # Network logon such as SMB
-            - 10 # RemoteInteractive logon such as RDP
+        LogonType: 10
     filter_username:
         SubjectUserName: '-'
     filter_src_ip:
@@ -33,4 +34,4 @@ detection:
     condition: selection and not filter_username and not filter_src_ip
 falsepositives:
     - Legitimate or intentional inbound connections from public IP addresses on RDP or SMB ports.
-level: medium
\ No newline at end of file
+level: medium
diff --git a/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml b/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml
new file mode 100644
index 000000000..ad742227a
--- /dev/null
+++ b/rules/windows/builtin/security/win_security_successful_external_remote_smb_login.yml
@@ -0,0 +1,37 @@
+title: External Remote SMB Logon from Public IP
+id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
+related:
+    - id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
+      type: derived
+status: experimental
+description: Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.
+references:
+    - https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
+    - https://twitter.com/Purp1eW0lf/status/1616144561965002752
+author: Micah Babinski, @micahbabinski
+date: 2023/01/19
+tags:
+    - attack.initial_access
+    - attack.credential_access
+    - attack.t1133
+    - attack.t1078
+    - attack.t1110
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4624
+        LogonType: 3
+    filter_username:
+        SubjectUserName: '-'
+    filter_src_ip:
+        - IpAddress|cidr: 10.0.0.0/8
+        - IpAddress|cidr: 172.16.0.0/12
+        - IpAddress|cidr: 192.168.0.0/16
+        - IpAddress|cidr: 224.0.0.0/4
+        - IpAddress|cidr: 127.0.0.0/8
+    condition: selection and not filter_username and not filter_src_ip
+falsepositives:
+    - Legitimate or intentional inbound connections from public IP addresses on RDP or SMB ports.
+level: high