This detection rule identifies the execution of suspicious persistent programs, such as scripts and system executables that are typically used by adversaries to maintain access to a compromised environment. It leverages process lineage and command-line usage to ascertain potential security threats. The rule specifically monitors for sequences of processes initiated following user logon, focusing on instances where 'userinit.exe' is followed by 'explorer.exe' and subsequently a child process of 'explorer.exe'. The detection looks for runtime programs known for their misuse, which include 'cscript.exe', 'wscript.exe', 'PowerShell.EXE', and others often involved in malware persistence techniques. Additionally, it examines the command-line arguments for specific suspicious paths that could indicate attempts to evade detection by executing from commonly used user directories or temporary storage locations. Key investigation steps involve validating the process lineage, analyzing command-line arguments for malicious patterns, and ensuring that the execution context of the suspicious process aligns with known malicious behavior. This rule is vital for detecting techniques related to persistence of malware in Windows environments.