This detection rule targets the spawning of the Windows Console Window Host (conhost.exe) process by suspicious parent processes, which may suggest potential code injection attacks. The detection utilizes EQL (Event Query Language) to identify instances where conhost.exe is initiated with a parent process indicating potential abuse of legitimate processes to evade detection, specifically looking for executions from various system processes such as lsass.exe, services.exe, winlogon.exe, and others known for hosting system-level functions. The rule incorporates key investigative steps such as examining the execution chain, verifying the legitimacy of the parent process, and performing threat intelligence checks on suspicious binaries. Moreover, the rule prescribes various response measures including incident containment and remediation actions, as well as suggestions for performing further scans and password resets to mitigate potential credential exposures. The overall objective of the rule is to enhance detection capabilities against execution and privilege escalation tactics employed by attackers in Windows environments.