This detection rule identifies the execution of Microsoft scripting processes, specifically `wscript.exe` and `cscript.exe`, which subsequently load LDAP-related modules such as `Wldap32.dll`, `adsldp.dll`, and `adsldpc.dll`. The rule relies on Sysmon EventCode 7 to monitor these DLL loads, which can indicate potential malicious activity, especially associated with threat actor group FIN7 known for exploiting Active Directory information for further breaches. The rule generates alerts when specific LDAP-related modules are loaded by scripting hosts, which is a tactic that may be used for gathering information about network hosts and services involved in Active Directory. The detection provides critical insight into potentially unauthorized queries against LDAP and may serve as an early warning for more complex attacks.