The rule identifies suspicious managed code hosting processes that may indicate code injection or malicious script execution within Windows environments. Targeting specific processes such as wscript.exe, cscript.exe, mshta.exe, and others, the rule analyzes logs over the past nine months and utilizes the Elastic Query Language (EQL) to filter for events not related to file deletion. The risk score is set at 73, categorizing it as high severity due to the potential for significant threats like unauthorized code execution typically exploited by adversaries. Investigation steps outlined include reviewing process logs, correlating user activities, and examining network communications to detect threats effectively. False positives from legitimate administrative tasks are acknowledged, with mitigation strategies recommended to avoid unnecessary alerts. The response section emphasizes immediate isolation and analysis of affected systems, further reinforcing the importance of monitoring for similar threats in the future.