Suspicious Parent Spawning Wininit

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors cases where a process other than the legitimate "wininit.exe" (Windows Initialization) spawns a new "wininit.exe" process. Abusing this can allow attackers to gain early control during system startup and potentially compromise the system.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0003 - Persistence, TA0004 - Privilege Escalation

Techniques: T1543 - Create or Modify System Process

Criteria:

Suspicious parent spawning wininit.exe:

• This rule checks for processes ending with "wininit.exe" (including paths).
• It considers it suspicious if the parent is not one of the legitimate smss.exe locations (including paths with System32 or SysWow64).

When to enable this rule:

Enable this rule when the user wants to detect suspicious activity involving the spawning of processes with wininit as the parent, signaling potential malicious activity attempting to gain persistence or execute privileged operations.

Compliance mapping (NIST, CIS):

• NIST CSF: DE.AE (Detection Processes) to detect abnormal spawning behaviors that could undermine system startup processes.
• CIS Control: 8 (Malware Defense) to ensure the integrity of wininit.exe, responsible for initializing critical Windows processes.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.