Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Micah Babinski, Zach MathisCreated Thu Jan 19Updated Mon Mar 11259a9cdf-c4dd-4fa2-b243-2269e5ab18a2windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        EventID: 4624
        LogonType: 10
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate or intentional inbound connections from public IP addresses on the RDP port.

References
1
Resolving title…
inversecos.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Related Rules
DerivedDetectionhigh

External Remote SMB Logon from Public IP

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
Status
test
Level
medium
Type
Detection
Created
Thu Jan 19
Modified
Mon Mar 11
Author
Micah Babinski, Zach Mathis
Path
rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.credential-accessattack.t1133attack.t1078attack.t1110
View on GitHub