This detection rule identifies instances where the legitimate Windows utility msxsl.exe is making network connections. Adversaries may leverage msxsl.exe to execute malicious scripts and evade detection by establishing connections to suspicious or non-local IP addresses. The rule triggers on the sequence of process creation and corresponding network activity, specifically looking for msxsl.exe execution followed by outbound network calls that do not align with the standard local IP address ranges. By monitoring these events in Windows environments, security teams can recognize potential unauthorized data exfiltration or command and control communications. Investigative steps provided in the accompanying notes aim to guide analysts through identifying legitimate uses versus potential adversarial behaviors associated with msxsl.exe, highlighting various scenarios that may lead to false positives and outlining appropriate incident response measures to mitigate risk and protect network integrity.