This rule detects instances where office macro files (such as .docm, .dotm, .xlsm, .xltm, .potm, .pptm) are created by suspicious processes known to execute scripts or dynamic-link libraries (DLLs). The rule identifies these processes specifically by monitoring events related to common Windows script hosts and command-line executors such as cscript.exe, mshta.exe, regsvr32.exe, rundll32.exe, and wscript.exe. The detection is built on the condition that the creating process must be one of the aforementioned processes, and the file being created must be an office macro type. If both conditions are satisfied, an alert will be generated as it indicates a potential malicious activity indicative of an attack vector often used for initial access. The log collection must include the ParentImage field for contextual information, which is not available by default in Sysmon EID 11, making it crucial to ensure logs are enriched appropriately before applying this rule.