Outbound Network Connection To Public IP Via Winlogon

Rule Info

Name

Outbound Network Connection To Public IP Via Winlogon

Author

Christopher Peacock @securepeacock, SCYTHE @scythe_io

Description

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Reference

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/

Date

2023-04-28 00:00:00

Modified

2024-03-12 00:00:00

7610a4ea-c06d-495f-a2ac-0a696abcfd3b

Rule History

Author

Title

Date

Commit

Nasreddine Bencherchali

Merge PR #4950 from @nasbench - Comply With v2 Spec Changes

2024-08-12

598d29f81

frack113

Merge PR #4765 from @frack113 - Update additional rules to use the `cidr` modifier

2024-03-13

6abf05818

Nasreddine Bencherchali

Merge PR #4761 from @nasbench - Update rules to use CIDR modifier

2024-03-11

ce7b111f9

github-actions[bot]

Merge PR #4745 from @nasbench - Promote older rules status from `experimental` to `test`

2024-03-01

0108cdc34

Nasreddine Bencherchali

Update net_connection_win_winlogon_net_connections.yml

2023-04-28

64648f9e2

Nasreddine Bencherchali

fix: small updates

2023-04-28

5ff0f2a21

securepeacock

Update net_connection_win_winlogon_net_connections.yml

2023-04-28

9ddbb2be8

securepeacock

Create net_connection_win_winlogon_net_connections.yml

2023-04-28

7355f2a54

Florian Roth

fix: FPs with cloudapp

2023-02-05

88c028f92

Nasreddine Bencherchali

chore: add nextron authors tag

2023-02-01

7c38a5c49

frack113

Fix invalid field cast or name (#3841)

2022-12-30

aee5ca7af

Nasreddine Bencherchali

fix: broken single item lists

2022-12-08

80ef3b70d

frack113

Order yaml field

2022-10-26

a3eed2b76

Florian Roth

fix: FPs with MS IPs

2022-10-04

50b9a3e07

Florian Roth

fix: FPs noticed with Aurora

2022-05-02

892025474