This detection rule is focused on identifying instances where a script interpreter, specifically Wscript or Cscript, initiates a local network connection. This activity often indicates potentially malicious behavior, as attackers may use such scripts to download or execute harmful scripts from a shared folder, bypassing some security controls. The rule is designed to capture events that show a script attempt to connect to local IP ranges, which are generally considered internal network addresses. Given that scripts can be used legitimately, the rule includes some known false positive scenarios, such as the execution of legitimate scripts that rely on network connections. The detection uses a straightforward condition where it looks for connections initiated through specific executable images (wscript.exe and cscript.exe) and restricts the connection attempts to common local IP address ranges.