This analytic focuses on the detection of suspicious network activity associated with the Winlogon.exe process on Windows systems. By leveraging Sysmon Event IDs 1 and 3 through Endpoint Detection and Response (EDR) telemetry, it identifies instances where Winlogon.exe attempts to establish connections with public IP addresses, which is deemed abnormal behavior. Under standard operating conditions, Winlogon.exe should only connect to local or internal network resources, and any attempt to connect to external entities may be indicative of malicious activity, such as a bootkit compromise like the BlackLotus attack. If confirmed, such behavior could signify an attacker’s effort to maintain persistence, bypass security defenses, or perform actions that compromise the system severely. Therefore, this analytic serves as a critical layer of defense by helping to uncover potential breaches in system integrity.