This detection rule identifies suspicious activity from the execution of the CustomShellHost process on Windows systems. It specifically targets instances where the CustomShellHost is launched with a parent process that is not the standard Windows explorer.exe. The presence of CustomShellHost, a binary that could be exploited for defense evasion, is monitored to ensure that it is not being maliciously utilized in a way that circumvents security measures. This is particularly relevant in cases where malware could hijack the execution chain to perform unauthorized tasks under the guise of legitimate processes. The rule highlights the importance of scrutinizing process creations for unexpected parent-child relationships, which are often a hallmark of deeper system compromise, enabling adversaries to blend in with legitimate operations while implementing their malicious intents. Users must be aware that false positives could arise, particularly in environments where CustomShellHost is an expected and legitimate component of the software stack.