This detection rule identifies potential dropper script executions initiated through Windows Script Host (WSH) using `wscript.exe` and `cscript.exe`. The focus is on scripts that are executed from user directories, which could indicate malicious activity. The detection mechanism leverages the process creation events in Windows to monitor specific command-line patterns indicative of these scripts. The rule requires that the process executing the script ends with either `wscript.exe` or `cscript.exe`, contains script file extensions commonly associated with Windows-based scripting (like .js, .vba, .vbs), and originates from notable user directories which may include temporary directories such as `Temp`, `AppData`, and public user directories. By requiring all conditions to be satisfied, this rule aims to minimize false positives associated with legitimate software installations that might exhibit similar behaviors. Users seeking to implement this rule should ensure they have established a baseline of normal behavior to reduce false alarms due to benign activities.