This detection rule is focused on identifying potential persistence mechanisms employed by attackers on Windows environments, specifically through the misuse of script engines that create executable scripts in the Startup folder. The rule defines a set of criteria for monitoring file events originating from Windows Script Host processes such as wscript.exe and cscript.exe. It targets script file types (e.g., .vbs, .js) placed in the Windows Startup directories, which allows attackers to execute malicious scripts automatically on user logon. The rule leverages various logs, including Winlogbeat and Microsoft Defender, to analyze file system activities reflective of this persistence technique. Associated investigation guidance includes examining the process execution chain, validating user behavior, and looking for related malicious activity to confirm ongoing compromises. Additionally, the rule emphasizes the need for automated incident response actions to neutralize detected threats and remediate affected systems.