Detection rules › Splunk
Windows WinLogon with Public Network Connection
The following analytic detects instances of Winlogon.exe, a critical Windows process, connecting to public IP addresses. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on network connections made by Winlogon.exe. Under normal circumstances, Winlogon.exe should not connect to public IPs, and such activity may indicate a compromise, such as the BlackLotus bootkit attack. This detection is significant as it highlights potential system integrity breaches. If confirmed malicious, attackers could maintain persistence, bypass security measures, and compromise the system at a fundamental level.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1542.003 Pre-OS Boot: Bootkit |
| Defense Evasion | T1542.003 Pre-OS Boot: Bootkit |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 3 | Network connection |
Stages and Predicates
Stage 1: tstats
tstats WHERE Processes.process!="unknown" Processes.process_name="winlogon.exe" BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: join
join type=inner (...)
Stage 6: table
table dest, dest_port, parent_process_name, process, process_id, process_name, process_path, publicIp
Stage 7: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | All_Traffic.dest | in | 0:0:0:0:0:0:0:1, 10.0.0.0/8, 127.0.0.1, 172.16.0.0/12, 192.168.0.0/16 |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
All_Traffic.dest_port | ne |
|
Processes.process | ne |
|
Processes.process_name | in |
|