This rule detects suspicious activity related to the use of the Conhost process with high integrity levels and specific command-line arguments. Specifically, it identifies instances where Conhost is executed with the '-ForceV1' argument, which requests information directly from the kernel space. The presence of high integrity levels indicates that the Conhost process is running with elevated privileges, typically associated with Administrator access. This kind of execution could signify an attempt to bypass standard security controls and may be indicative of malicious activity. The rule employs conditions based on the Integrity Level of processes, specifically looking for High integrity levels (S-1-16-12288), and checks if the command line contains the terms 'conhost.exe', '0xffffffff', and '-ForceV1'. While this detection is informative, it is important to note that legitimate applications may also use similar settings, potentially leading to false positives, especially with administrative command executions. The context around these events is critical to fully understanding the intent behind them.