This detection rule identifies suspicious instances of PowerShell execution originating from Windows Script Host processes, specifically cscript.exe or wscript.exe. The rule incorporates various conditions to detect potentially malicious command execution by analyzing the command line arguments, execution context, and parent process names. The aim is to catch abuse of PowerShell for executing obfuscated scripts while minimizing false positives by excluding known legitimate usage scenarios. The detection leverages logs from various sources, such as Winlogbeat, Sysmon, and Microsoft Defender, to monitor for specific execution patterns indicative of malicious activities. It employs a risk score of 73, indicating a high severity classification, making it suitable for immediate investigation.