Techniques
Sample rules
Uncommon Userinit Child Process
- source: sigma
- technicques:
- t1037
- t1037.001
Description
Detects uncommon “userinit.exe” child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_explorer:
Image|endswith: :\WINDOWS\explorer.exe
filter_optional_citrix:
Image|endswith:
- :\Program Files (x86)\Citrix\HDX\bin\cmstart.exe
- :\Program Files (x86)\Citrix\HDX\bin\icast.exe
- :\Program Files (x86)\Citrix\System32\icast.exe
- :\Program Files\Citrix\HDX\bin\cmstart.exe
- :\Program Files\Citrix\HDX\bin\icast.exe
- :\Program Files\Citrix\System32\icast.exe
filter_optional_image_null:
Image: null
filter_optional_logonscripts:
CommandLine|contains:
- netlogon.bat
- UsrLogon.cmd
filter_optional_proquota:
Image|endswith:
- :\Windows\System32\proquota.exe
- :\Windows\SysWOW64\proquota.exe
filter_optional_windows_core:
CommandLine: PowerShell.exe
selection:
ParentImage|endswith: \userinit.exe