The detection rule identifies suspicious activity involving the Console Window Host process (connhost.exe) that is initiated using the -ForceV1 flag, a behavior that deviates from standard Windows practices. This anomalous execution method has been linked to the Ryuk Ransomware family, which exploits such process manipulations to persist on infected systems. However, further testing revealed that this behavior is not exclusive to Ryuk, suggesting it could potentially indicate other malicious activities as well. This detection rule operates on logs from Sysmon EventID 1, which records process creations among other telemetry. Given that connhost.exe typically is not run forcefully, instances where this occurs warrant scrutiny for potential malicious intent. The rule flags the event for review but is marked as deprecated due to findings from testing environments that suggest it may capture normal operational behaviors under certain conditions.