Uncommon Userinit Child Process (0a98a10c-685d-4ab0-bddc-b6bdd1d48458)

Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	Uncommon Userinit Child Process (0a98a10c-685d-4ab0-bddc-b6bdd1d48458)	Sigma-Rules	1
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	2