This detection rule identifies unusual child processes spawned by the core Windows process winlogon.exe, which is responsible for handling user authentication events such as logon, logoff, and screen locking. Typically, expected child processes of winlogon.exe include LogonUI.exe, FontDrvHost.exe, Userinit.exe, Consent.exe, and Sihost.exe. The rule operates by filtering Windows event logs and utilizing regex to identify instances where winlogon.exe spawns processes not part of this expected list. The detection logic parses the process creation events (Event ID 4688) and logs relevant details including time, host, user, and process information, while excluding legitimate child processes using anti-pattern matching. By flagging unexpected child processes, this rule aims to identify potential malicious activities accompanying unauthorized alterations to the authentication flow, indicative of persistence mechanisms or privilege escalation tactics. The techniques linked to this rule reflect its focus on monitoring autostart execution and the methods that adversaries may use to maintain or escalate privileges on a compromised system.