← Back to Explore
sigmamediumHunting
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
Detection Query
selection:
ParentImage|endswith: \userinit.exe
filter_main_netlogon:
CommandLine|contains: \netlogon\
filter_main_explorer:
- Image|endswith: \explorer.exe
- OriginalFileName: explorer.exe
- CommandLine: C:\Windows\Explorer.EXE
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
Author
Florian Roth (Nextron Systems), Samir Bousseaden (idea)
Created
2019-06-17
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.privilege-escalationattack.defense-evasionattack.t1055
Raw Content
title: Suspicious Userinit Child Process
id: b655a06a-31c0-477a-95c2-3726b83d649d
status: test
description: Detects a suspicious child process of userinit
references:
- https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
date: 2019-06-17
modified: 2025-10-17
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\userinit.exe'
filter_main_netlogon:
CommandLine|contains: '\netlogon\'
filter_main_explorer:
- Image|endswith: '\explorer.exe'
- OriginalFileName: 'explorer.exe'
- CommandLine: 'C:\Windows\Explorer.EXE'
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Administrative scripts
level: medium