From 123a23adae9f896a13e43c6f5bcddeaaa8728129 Mon Sep 17 00:00:00 2001 From: Remco Hofman Date: Wed, 6 May 2020 22:24:02 +0200 Subject: [PATCH] win_susp_failed_logon_source rule --- .../builtin/win_susp_failed_logon_source.yml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 rules/windows/builtin/win_susp_failed_logon_source.yml diff --git a/rules/windows/builtin/win_susp_failed_logon_source.yml b/rules/windows/builtin/win_susp_failed_logon_source.yml new file mode 100644 index 000000000..f522ea5ed --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logon_source.yml @@ -0,0 +1,51 @@ +title: Failed Logon From Public IP +id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1 +description: A login from a public IP can indicate a misconfigured firewall or network boundary. +author: NVISO +date: 2020/05/06 +tags: + - attack.initial_access + - attack.persistence + - attack.t1078 + - attack.t1190 + - attack.t1133 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4625 + unknown: + IpAddress|contains: '-' + privatev4: + IpAddress|startswith: + - '10.' #10.0.0.0/8 + - '192.168.' #192.168.0.0/16 + - '172.16.' #172.16.0.0/12 + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' #127.0.0.0/8 + - '169.254.' #169.254.0.0/16 + privatev6: + - IpAddress: '::1' #loopback + - IpAddress|startswith: + - 'fe80::' #link-local + - 'fc00::' #unique local + condition: selection and not (unknown or privatev4 or privatev6) +falsepositives: + - Legitimate logon attempts over the internet + - IPv4-to-IPv6 mapped IPs +level: medium