Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

External Remote SMB Logon from Public IP

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Micah Babinski, Zach MathisCreated Thu Jan 19Updated Mon Mar 1178d5cab4-557e-454f-9fb9-a222bd0d5edcwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        EventID: 4624
        LogonType: 3
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    filter_main_empty:
        IpAddress: '-'
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate or intentional inbound connections from public IP addresses on the SMB port.

References
1
Resolving title…
inversecos.com
2
Resolving title…
twitter.com
MITRE ATT&CK
Related Rules
DerivedDetectionmedium

External Remote RDP Logon from Public IP

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
78d5cab4-557e-454f-9fb9-a222bd0d5edc
Status
test
Level
high
Type
Detection
Created
Thu Jan 19
Modified
Mon Mar 11
Author
Micah Babinski, Zach Mathis
Path
rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.credential-accessattack.t1133attack.t1078attack.t1110
View on GitHub