This detection rule is designed to identify potential malicious activity in Windows environments where script interpreters or signed binaries are executed from non-standard directories such as mounted devices or network shares. Attackers may employ this tactic to evade detection and execute harmful scripts or commands. The rule utilizes the Elastic Query Language (EQL) to monitor for process executions where the working directory is not a standard local path (like 'C:\') and is invoked by a common parent process, explorer.exe. With a risk score of 47, it emphasizes the need for further investigation when such events occur, particularly focusing on the executable path and the context of execution. The investigation process involves reviewing event details, analyzing command line arguments, and correlating with other security alerts, while also looking out for false positives associated with legitimate software activities. Recommended responses include isolating affected systems, terminating suspicious processes, conducting forensic analysis, and enhancing monitoring for similar activities in the future.