This detection rule identifies instances where Windows script interpreters, such as 'wscript', 'cscript', 'mshta', and 'rundll32', establish connections to external IP addresses, which can signify potential command and control (C2) communications, data exfiltration, or unauthorized downloads. The rule leverages Sysmon event logging to monitor EventCode 3 sharding based on network connection attempts made by these interpreters. A regex filter ensures that connections to internal IP ranges are excluded, focusing the detection on suspicious traffic that could suggest adversarial behavior. The output of the rule will display the timestamp, host, user, parent process details, and the destination IP and host information, helping security teams investigate possible threats and take appropriate action.