This detection rule identifies when the Windows Management Console (MMC) loads scripting libraries, such as jscript.dll and vbscript.dll, to execute script code. While these libraries are inherent to Windows, their invocation by non-standard processes or in atypical contexts may signify malicious activity, such as the deployment of script-based malware, living-off-the-land techniques, or automated attacks. The rule leverages Sysmon's Event ID 7, which captures the loading of DLLs by processes, focusing particularly on images that load the specified script engines. The data collected includes command-line arguments, parent processes, and timestamps to help differentiate between legitimate administrative use and potential threats. Investigations triggered by this detection should consider the context of the process as well as any corresponding system or network activity. Tools like MMC snap-ins are common triggers for this behavior under routine usages, necessitating careful analysis of alerts.