This detection rule identifies potential abuse of the Console Window Host (conhost.exe) in Windows operating systems, specifically focusing on its use to execute commands via a proxy. The methodology typically involved in this tactic is a form of defense evasion, allowing malicious activities to blend in with standard system processes. Signals for this rule include looking for specific command-line arguments associated with common attack vectors such as PowerShell and CMD execution. Analysts are guided to investigate the relationship between conhost.exe and its child processes, user accounts initiating this activity, and any historical alerts related to the same user or host. False positive considerations are included, noting that conhost.exe's legitimate use means not all alerts require intervention. Detailed response and remediation steps are outlined to ensure that proper incident response protocols are followed in the case that a security incident is confirmed. The risk score assigned to this rule is 73, indicating a high-level concern for potential threats originating from this behavior.