External Remote SMB Logon from Public IP

Severity: high
Author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
Source: upstream

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts, `T1133` External Remote Services
Persistence	`T1078` Valid Accounts, `T1133` External Remote Services
Privilege Escalation	`T1078` Valid Accounts
Defense Evasion	`T1078` Valid Accounts
Credential Access	`T1110` Brute Force

Event coverage

Provider	Event ID	Title
Security-Auditing	4624	An account was successfully logged on.

Stages and Predicates

Stage 1: `selection`

LogonType: 3

Stage 2: `not 1 of filter_main_*`

or:
IpAddress|cidr: '10.0.0.0/8'
IpAddress|cidr: '127.0.0.0/8'
IpAddress|cidr: '169.254.0.0/16'
IpAddress|cidr: '172.16.0.0/12'
IpAddress|cidr: '192.168.0.0/16'
IpAddress|cidr: '::1/128'
IpAddress|cidr: 'fc00::/7'
IpAddress|cidr: 'fe80::/10'
IpAddress: -

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`IpAddress`	cidr_match	`10.0.0.0/8` corpus 3 (sigma 3) `127.0.0.0/8` corpus 4 (sigma 4) `169.254.0.0/16` corpus 4 (sigma 4) `172.16.0.0/12` corpus 3 (sigma 3) `192.168.0.0/16` corpus 3 (sigma 3) `::1/128` corpus 4 (sigma 4) `fc00::/7` corpus 4 (sigma 4) `fe80::/10` corpus 4 (sigma 4)
`IpAddress`	eq	`-` corpus 2 (sigma 2)
`LogonType`	eq	`3` corpus 12 (splunk 7, sigma 5)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Windows Kerberos Local Successful Logon [splunk] (cross-vendor) (adds 4 filters) (first-stage match only; downstream stages may differ)
Windows Rapid Authentication On Multiple Hosts [splunk] (cross-vendor) (adds 3 filters) (first-stage match only; downstream stages may differ)
Unusual Number of Remote Endpoint Authentication Events [splunk] (cross-vendor) (adds 2 filters) (first-stage match only; downstream stages may differ)
Potential Privilege Escalation via Local Kerberos Relay over LDAP [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Pass the Hash Activity 2 [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
RottenPotato Like Attack Pattern [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Potential Account Takeover - Mixed Logon Types [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)
Potential Account Takeover - Logon from New Source IP [elastic] (cross-vendor) (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)