This detection rule identifies instances of excessive spawning of the taskhost.exe and taskhostex.exe processes on Windows endpoints, utilizing the analysis of telemetry data captured by Endpoint Detection and Response (EDR) agents. The rule tracks the count of these processes over a defined time window and flags alerts if the occurrences exceed specified thresholds (greater than 10 for either process). This behavior is indicative of potential malicious activity, notably associated with post-exploitation tools such as Meterpreter and Koadic, which can deploy multiple iterations of these processes in lateral movement and discovery actions during an attack. The rule processes logs from Sysmon and Windows Event Log to delineate unusual patterns that suggest ongoing intrusions, facilitating early detection of advanced threats that might exploit system vulnerabilities.