Hi,
I have installed Suricata 7.0.7 on my Windows 11 computer with more than 100000 rules from https://www.openinfosecfoundation.org/rules/index.yaml
I have detected that fastlog alert !
11/18/2024-20:47:53.578622 [] [1:3301086:8] 
- 
Powershell 
(Windows 11 
) - TLSv1.2 connection to FQDN [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.1.74:63260 → 20.189.173.16:443
All i could do is to block the IP in firewall
Have a look at Proxy Detection Test | Detect Proxies With Our IP Lookup | IPQS
I remember a strange message on my computer yesterday asking Powershell to elevate privileges …
Where could this breach come from ?
Could there be a link with my other infected Linux machine which I then reinstalled ?
By the way, the other machine with linux has two partitions (linux + windows 10) and i found on the Windows 10 suricata fast.log this alert
11/11/2024-14:59:30.028368 [] [1:2028762:2] ET JA3 Hash - [Abuse.ch] Possible Trickbot [] [Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.1.68:57308 → 181.214.218.3:8080
I have Bitdefendre antivirus and it could not eliminate Trickbot on the Windows 10 machine even in rescue mode !
Bitdefender scans USB disks and finds nothing…
Could my FAI box be infected or is my Ip a cible for attackers ??
Thanks for your answers…