This detection rule monitors outbound network connections initiated by script interpreters (namely wscript.exe or cscript.exe) on Windows systems. The primary objective of this rule is to detect potentially malicious behavior where adversaries may use scripts to connect to external servers to download harmful payloads. The rule operates by filtering logs for connections that do not fall within the local address ranges or known Microsoft-owned IP ranges, thus flagging suspicious outbound activity. Given the capability of scripting languages to automate tasks and interplay with network protocols, detecting such connections is crucial for preemptive security measures against command-and-control (C2) tactics commonly employed by attackers.