Detects uncommon “userinit.exe” child processes, which could be a sign of uncommon shells or login scripts used for persistence.
title: Uncommon Userinit Child Process
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
related:
- id: 21d856f9-9281-4ded-9377-51a1a6e2a432
type: similar
status: test
description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
references:
- https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
- https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
author: Tom Ueltschi (@c_APT_ure), Tim Shelton
date: 2019-01-12
modified: 2023-11-14
tags:
- attack.privilege-escalation
- attack.t1037.001
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\userinit.exe'
filter_main_explorer:
Image|endswith: ':\WINDOWS\explorer.exe'
filter_optional_logonscripts:
CommandLine|contains:
- 'netlogon.bat'
- 'UsrLogon.cmd'
filter_optional_windows_core:
# Note: This filter is mandatory on Windows Core machines as the default shell spawned by "userinit" is "powershell.exe".
# https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
CommandLine: 'PowerShell.exe'
filter_optional_proquota:
Image|endswith:
- ':\Windows\System32\proquota.exe'
- ':\Windows\SysWOW64\proquota.exe'
filter_optional_citrix:
Image|endswith:
# As reported by https://github.com/SigmaHQ/sigma/issues/4569
- ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files (x86)\Citrix\System32\icast.exe'
- ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files\Citrix\System32\icast.exe'
filter_optional_image_null:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.
level: high
imProcessCreate
| where (ParentProcessName endswith "\\userinit.exe" or ActingProcessName endswith "\\userinit.exe") and (not(TargetProcessName endswith ":\\WINDOWS\\explorer.exe")) and (not(((TargetProcessCommandLine contains "netlogon.bat" or TargetProcessCommandLine contains "UsrLogon.cmd") or TargetProcessCommandLine =~ "PowerShell.exe" or (TargetProcessName endswith ":\\Windows\\System32\\proquota.exe" or TargetProcessName endswith ":\\Windows\\SysWOW64\\proquota.exe") or (TargetProcessName endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe" or TargetProcessName endswith ":\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe" or TargetProcessName endswith ":\\Program Files (x86)\\Citrix\\System32\\icast.exe" or TargetProcessName endswith ":\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe" or TargetProcessName endswith ":\\Program Files\\Citrix\\HDX\\bin\\icast.exe" or TargetProcessName endswith ":\\Program Files\\Citrix\\System32\\icast.exe") or isnull(TargetProcessName))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |