rules/windows/process_creation/win_susp_userinit_child.yml

title: Suspicious Userinit Child Process
id: b655a06a-31c0-477a-95c2-3726b83d649d
status: experimental
description: Detects a suspicious child process of userinit
references:
    - https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (rule), Samir Bousseaden (idea)
date: 2019/06/17
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage: '*\userinit.exe'
    filter1:
        CommandLine: '*\\netlogon\\*'
    filter2:
        Image: '*\explorer.exe'
    condition: selection and not filter1 and not filter2
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Administrative scripts
level: medium
Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00			`title: Suspicious Userinit Child Process`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: b655a06a-31c0-477a-95c2-3726b83d649d`
Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00			`status: experimental`
fix: more FP reductions 2019-11-09 23:36:29 +01:00			`description: Detects a suspicious child process of userinit`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`references:`
Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00			`- https://twitter.com/SBousseaden/status/1139811587760562176`
			`author: Florian Roth (rule), Samir Bousseaden (idea)`
			`date: 2019/06/17`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`ParentImage: '*\userinit.exe'`
fix: more FP reductions 2019-11-09 23:36:29 +01:00			`filter1:`
			`CommandLine: '\\netlogon\\'`
			`filter2:`
			`Image: '*\explorer.exe'`
			`condition: selection and not filter1 and not filter2`
Rule: Suspicious userinit.exe child process 2019-06-23 13:27:06 +02:00			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
			`falsepositives:`
			`- Administrative scripts`
fix: more FP reductions 2019-11-09 23:36:29 +01:00			`level: medium`