This detection rule identifies uncommon child processes spawned by the system process `userinit.exe`, which is often associated with user logon and shell initialization in Windows environments. Unusual child processes can indicate potential malicious activity or persistence mechanisms, as attackers may employ these processes to execute unauthorized scripts or tools during user logon. The rule incorporates filtering mechanisms to distinguish between legitimate user-initiated logon activities and suspicious behavior. Specifically, it checks if the parent process ends with `userinit.exe` and excludes common processes that are regularly expected in an enterprise environment, such as `explorer.exe`, specific logon scripts, or Citrix-related executables. False positives are a consideration, as legitimate user scripts may also trigger alerts. Analysts are advised to refine detection with additional context or filters based on their specific environment and usage patterns.