This detection rule identifies the usage of Windows script interpreters (specifically `cscript.exe` and `wscript.exe`) to download executable files from remote locations. Windows Script Host (WSH) can be exploited by attackers to execute scripts that facilitate the initial stages of an attack, often serving as droppers for malicious payloads. The rule is designed to monitor the network traffic for suspicious file downloads triggered by these script interpreters, capturing any outgoing network connections that lead to file creation events on the system. The rule leverages Elastic's EQL (Event Query Language) for efficient querying within specified indices, focusing on Windows hosts. Upon detection, it suggests a thorough investigation into the process execution chain, looking for indicators of compromise, analyzing script and executable interactions, and gathering useful artifacts for further analysis.