This detection rule identifies instances where the Console Window Host (conhost.exe) process is spawned by a parent process that is uncommon in legitimate usage contexts. The spawning of conhost.exe in such a manner may signify malicious activities, such as code injection, where an attacker leverages unusual behavior to bypass security measures. The rule specifically monitors the properties of the process creation event, checking if the 'Image' ends with '\conhost.exe' and verifying its 'ParentImage' against a predefined list of uncommon parent processes. Notably, if the detected conhost.exe has a parent process susceptible to code injections (that is not one of the common service hosts or known Dropbox usage instances), it triggers an alert. By focusing on this behavior, security teams can investigate potentially harmful activities that could compromise the integrity of systems, especially in environments where Windows processes are manipulated for unauthorized access or execution of malevolent code.