This detection rule aims to identify suspicious PowerShell invocations that originate from script engines, specifically from the Windows Script Host (WSH) components: wscript.exe and cscript.exe. These components are commonly used to execute scripts but can also be leveraged by attackers to deliver malicious payloads without being detected. The rule looks for processes where the parent image is either wscript.exe or cscript.exe and where the invoked image is powershell.exe or pwsh.exe. An additional filter is applied to exclude cases from the Microsoft Operations Manager (MOM) and other benign scripts that might trigger false positives. The primary intention of this rule is to detect abnormal execution patterns that could indicate a potential non-malware attack, utilizing PowerShell as a scripting tool for purposes such as data exfiltration or command execution after a compromise. By monitoring such processes, security teams can gain insights into possible misuse of legitimate Windows components and take appropriate action if suspicious activity is detected.