From 39b5eddfc71e53538e75a0195025058fac065e07 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sun, 23 Jun 2019 13:27:06 +0200
Subject: [PATCH] Rule: Suspicious userinit.exe child process

---
 .../win_susp_userinit_child.yml               | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_userinit_child.yml

diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml
new file mode 100644
index 000000000..bed1fbbfd
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_userinit_child.yml
@@ -0,0 +1,24 @@
+title: Suspicious Userinit Child Process
+status: experimental
+description: Detects the creation of a process from Windows task manager
+references: 
+    - https://twitter.com/SBousseaden/status/1139811587760562176
+author: Florian Roth (rule), Samir Bousseaden (idea)
+date: 2019/06/17
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        ParentImage: '*\userinit.exe'
+    filter:
+        CommandLine:
+            - '*\explorer.exe*'
+            - '*\\netlogon\\*'
+    condition: selection and not filter
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative scripts
+level: high