This detection rule focuses on identifying suspicious use of the conhost.exe process, which may indicate that adversaries are exploiting this utility for command execution to bypass security measures. The rule captures activities where conhost.exe is utilized to launch other executables, pointing to potential evasion tactics employed by malware such as Qakbot. By monitoring process logs for these patterns, the detection helps in identifying indirect command execution, which is a common method adversaries use to conduct malicious activities while avoiding detection. The rule is particularly relevant in the context of Windows environments, where conhost.exe is commonly invoked through user interactions or by other processes. Given the context of this detection, it correlates with attack techniques such as defense evasion: indirect command execution (T1202) and defense evasion: exploitation for defense evasion (T1211). The logic executes a SQL-like query to filter events recorded in EDR logs where conhost.exe is suspected of executing other processes, thus aiding analysts in pinpointing potential threats quickly.