This rule, crafted by Elastic, establishes a detection mechanism for identifying potentially malicious attempts to execute JScript or VBScript files that are extracted from archived files such as ZIP or RAR. The detection focuses specifically on the Windows operating system and targets the sibling processes involved in the script execution workflow. Archived files are frequently leveraged as a means to deliver harmful scripts that exploit legitimate Windows scripting utilities like wscript.exe. The rule employs an EQL (Event Query Language) query to monitor process initiation events that match specific criteria, including the parent process names related to standard file management tools (e.g., explorer.exe, winrar.exe, 7zFM.exe) and certain typical temporary file locations where malicious scripts may reside. With a moderate risk score of 47, the rule reflects a significant threat level given the strategic importance of script execution in exploitative attacks. The investigation guide included in the rule advises on critical steps for advancers to analyze and verify script origins, execution patterns, and the user accounts involved, helping security teams respond effectively to potential threats. Misidentifications can occur due to legitimate use cases, and recommended mitigation steps provide a pathway to rectify potential incidents.