This rule detects potential malicious use of PowerShell commands executed from a headless ConHost process. The detection is triggered when PowerShell commands are run with the '--headless' option, which prevents the command window from being displayed to the user. This behavior is often associated with attempts to bypass user detection mechanisms. The detection logic specifically looks for process creations where the command line includes both the '--headless' flag and the string 'powershell'. The rule focuses on instances where the process is either 'conhost.exe' or has an original filename of 'CONHOST.EXE'. This detection method aids in identifying possible defense evasion tactics used by malicious actors.