The 'Suspicious Script Object Execution' detection rule identifies potential abuse of the legitimate Windows library 'scrobj.dll', typically exploited by malicious actors to execute scriptlets within trusted Microsoft processes. This rule utilizes the Elastic Query Language (EQL) to monitor processes on Windows systems for unusual instances of scrobj.dll being loaded, particularly avoiding common executables known for legitimate use. It triggers an alert when scrobj.dll is loaded by non-standard processes, thereby hinting at possible malicious activity. Notably, the detection focuses on maintaining a balance between identifying legitimate administrative tasks and preventing false positives, by including exclusion criteria for known safe executables. The recommended investigation procedures entail reviewing the process executable paths, checking the parent processes, analyzing user accounts involved, and observing network activity for unauthorized connections, alongside other investigative actions. The rule also takes into account potential false positives stemming from benign script executions, emphasizing the need to filter out routine administrative actions and safe applications. In case of a positive detection, recommendations for incident response include isolating affected systems, terminating suspicious processes, scanning for malicious scripts, restoring system settings, and escalating incidents to the SOC for deeper analysis.