Adversaries may attempt to brute-force access to systems using public IP addresses to bypass network segmentation or misconfigured security controls. SOC teams should proactively hunt for this behavior to identify potential credential stuffing or reconnaissance efforts targeting Azure environments.
Detection Rule
title: Failed Logon From Public IP
id: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1
status: test
description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
author: NVISO
date: 2020-05-06
modified: 2024-03-11
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.initial-access
- attack.persistence
- attack.t1078
- attack.t1190
- attack.t1133
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
filter_main_ip_unknown:
IpAddress|contains: '-'
filter_main_local_ranges:
IpAddress|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate logon attempts over the internet
- IPv4-to-IPv6 mapped IPs
level: medium
imAuthentication
| where (not(((SrcIpAddr contains "-" or TargetIpAddr contains "-") or ((ipv4_is_in_range(SrcIpAddr, "::1/128") or ipv4_is_in_range(SrcIpAddr, "10.0.0.0/8") or ipv4_is_in_range(SrcIpAddr, "127.0.0.0/8") or ipv4_is_in_range(SrcIpAddr, "172.16.0.0/12") or ipv4_is_in_range(SrcIpAddr, "192.168.0.0/16") or ipv4_is_in_range(SrcIpAddr, "169.254.0.0/16") or ipv4_is_in_range(SrcIpAddr, "fc00::/7") or ipv4_is_in_range(SrcIpAddr, "fe80::/10")) or (ipv4_is_in_range(TargetIpAddr, "::1/128") or ipv4_is_in_range(TargetIpAddr, "10.0.0.0/8") or ipv4_is_in_range(TargetIpAddr, "127.0.0.0/8") or ipv4_is_in_range(TargetIpAddr, "172.16.0.0/12") or ipv4_is_in_range(TargetIpAddr, "192.168.0.0/16") or ipv4_is_in_range(TargetIpAddr, "169.254.0.0/16") or ipv4_is_in_range(TargetIpAddr, "fc00::/7") or ipv4_is_in_range(TargetIpAddr, "fe80::/10"))))))Scenario: Remote Administration via SSH or RDP from Public IP
Description: A system administrator is performing routine maintenance using SSH or RDP from a public IP address.
Filter/Exclusion: Check the user context (e.g., user.name == "admin") and verify if the session is associated with a known administrative task or scheduled job (e.g., process.name == "task scheduler" or process.name == "sshd").
Scenario: Scheduled Job Execution from Public IP
Description: A scheduled job (e.g., via Windows Task Scheduler or cron job) is configured to run from a public IP due to a misconfigured bastion host or jump server.
Filter/Exclusion: Filter by process name (e.g., process.name == "schtasks.exe" or process.name == "cron") and check if the job is known and authorized (e.g., process.args contains "authorized_job_name").
Scenario: Cloud Provider Management Console Access
Description: A cloud administrator is accessing the cloud provider’s management console (e.g., AWS Management Console, Azure Portal) from a public IP.
Filter/Exclusion: Check the user agent string (e.g., user.agent contains "AWSConsole" or user.agent contains "AzurePortal") and verify if the session is associated with a known administrative account (e.g., user.name == "cloud-admin").
Scenario: Network Monitoring Tool Access from Public IP
Description: A network monitoring tool (e.g., Wireshark, PRTG, Nagios) is accessed from a public IP by a security team member for troubleshooting.
Filter/Exclusion: Filter by process name (e.g., process.name == "wireshark" or process.name == "nagios") and check the user