Sample rules
External Remote RDP Logon from Public IP
- source: sigma
- technicques:
- t1078
- t1110
- t1133
Description
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_empty:
IpAddress: '-'
filter_main_local_ranges:
IpAddress|cidr:
- ::1/128
- 10.0.0.0/8
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- fc00::/7
- fe80::/10
selection:
EventID: 4624
LogonType: 10
External Remote SMB Logon from Public IP
- source: sigma
- technicques:
- t1078
- t1110
- t1133
Description
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_empty:
IpAddress: '-'
filter_main_local_ranges:
IpAddress|cidr:
- ::1/128
- 10.0.0.0/8
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- fc00::/7
- fe80::/10
selection:
EventID: 4624
LogonType: 3