This detection rule identifies malicious activity related to script droppers that utilize Windows Script Host (WSH) engines, specifically WScript and CScript. By monitoring the execution of files that end with script-related extensions such as .jse, .vbe, .js, .vba, and .vbs, the rule captures instances where these files are invoked through the WScript or CScript executables. The presence of such script files being executed from common user directories or the ProgramData directory indicates potential misuse, often associated with payload deliveries in various attack scenarios. The detection focuses on the command execution commands mapped to T1059.005 (Cross-Platform Scripting) and T1059.007 (VBA), highlighting its relevance in the context of attack patterns. The rule is categorized under file events within the Windows platform, targeting files created or manipulated by these scripting engines, allowing defenders to identify malicious actions that may lead to further exploitation.