This rule identifies potentially malicious child processes spawned by WScript or CScript, which are scripting engines in Windows often exploited by attackers for execution of benign or malicious scripts, commonly referred to as LOLBIN (Living Off The Land Binaries). The technique involves using legitimate system utilities to execute various scripts like PowerShell and to evade defenses. The detection logic utilizes telemetry from system logs including Sysmon Event ID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2 to observe when these scripting engines spawn specific dubious processes, thereby enabling the identification of likely malicious activities while tolerating some benign ones.