1type: trigger
2name: sigmahq/proc_creation_win_userinit_uncommon_child_processes
3description: |
4  Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
5filter: |
6  (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.ParentImage endsWith '\\userinit.exe' && not (evt.Parsed.Image endsWith ':\\WINDOWS\\explorer.exe') && not (evt.Parsed.CommandLine contains 'netlogon.bat' || evt.Parsed.CommandLine contains 'UsrLogon.cmd' || evt.Parsed.CommandLine == 'PowerShell.exe' || evt.Parsed.Image endsWith ':\\Windows\\System32\\proquota.exe' || evt.Parsed.Image endsWith ':\\Windows\\SysWOW64\\proquota.exe' || evt.Parsed.Image endsWith ':\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe' || evt.Parsed.Image endsWith ':\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe' || evt.Parsed.Image endsWith ':\\Program Files (x86)\\Citrix\\System32\\icast.exe' || evt.Parsed.Image endsWith ':\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe' || evt.Parsed.Image endsWith ':\\Program Files\\Citrix\\HDX\\bin\\icast.exe' || evt.Parsed.Image endsWith ':\\Program Files\\Citrix\\System32\\icast.exe' || evt.Parsed.Image == ''))
7blackhole: 2m
8#status: test
9labels:
10  service: windows
11  confidence: 1
12  spoofable: 0
13  classification:
14   - attack.t1037.001
15
16  label: "Uncommon Userinit Child Process"
17  behavior : "windows:audit"
18  remediation: false
19
20scope:
21  type: ParentProcessId
22  expression: evt.Parsed.ParentProcessId
23
24