The Gpscript Execution detection rule targets the usage of the GPSCRIPT.EXE binary, which is a legitimate Windows executable responsible for executing logon and startup scripts configured through Group Policy. This executable is categorized as a Living Off the Land Binary (LOLBIN) due to its existing presence within the Windows environment being utilized in potentially malicious ways. The rule employs a combination of process creation logs to identify instances where gpscript.exe is executed, particularly focusing on command line arguments that indicate a logon or startup execution context. The detection logic specifies that both the image name and original filename must match 'gpscript.exe' while simultaneously filtering out legitimate usages via svchost.exe related to the Group Policy service (gpsvc). False positives may arise during legitimate script execution through Group Policy, hence the need to monitor for anomalous activities surrounding this executable to mitigate risks of misuse in a facilitated attack scenario.