This detection rule identifies potentially malicious child processes spawned from the 'userinit.exe' process on Windows systems. It focuses specifically on instances where the child process's command line contains the string '\netlogon\', which may indicate an unauthorized attempt to access network logon resources, typically employed by attackers to execute further commands or scripts. The rule examines the 'ParentImage' to ensure it concludes with '\userinit.exe', a legitimate Windows process responsible for user initialization after logon. To further filter out false positives, it checks that the child process is not a common instance of 'explorer.exe' or its variations. As a result, the rule helps in mitigating evasion tactics that attackers might use to execute code by camouflaging their actions within legitimate system processes.