Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Failed Logon From Public IP

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
NVISOCreated Wed May 06Updated Mon Mar 11f88e112a-21aa-44bd-9b01-6ee2a2bbbed1windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic3 selectors
detection:
    selection:
        EventID: 4625
    filter_main_ip_unknown:
        IpAddress|contains: '-'
    filter_main_local_ranges:
        IpAddress|cidr:
            - '::1/128'  # IPv6 loopback
            - '10.0.0.0/8'
            - '127.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - 'fc00::/7'  # IPv6 private addresses
            - 'fe80::/10'  # IPv6 link-local addresses
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate logon attempts over the internet

IPv4-to-IPv6 mapped IPs

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
Status
test
Level
medium
Type
Detection
Created
Wed May 06
Modified
Mon Mar 11
Author
NVISO
Path
rules/windows/builtin/security/account_management/win_security_susp_failed_logon_source.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.initial-accessattack.persistenceattack.t1078attack.t1190attack.t1133
View on GitHub