This detection rule identifies suspicious script executions initiated by compressed files through Windows Explorer or archive utilities such as WinRAR and 7-Zip. It focuses on the execution of either 'wscript.exe' or 'cscript.exe' which are Windows script hosts that can execute scripts in various formats including JavaScript. The rule is designed to capture when a .js file is extracted and executed directly from compressed files, specifically looking for a certain parent-child process relationship in the Cisco Network Visibility Module (NVM) flow data. The monitored behavior is indicative of potential malware activity, including tactics used by threat actors like Scarlet Goldfinch, who leverage this method for initial access to systems. The detection utilizes key process names and arguments to narrow down potential malicious activities and establishes a link between script extraction and initiated outbound network connections.