This detection rule is designed to identify potential reconnaissance activity via the execution of the built-in Windows script located at "C:\Windows\System32\gatherNetworkInfo.vbs". This script can be exploited to extract system information, making it a useful tool for attackers to gather intelligence on a target machine. The rule focuses on process creation events related to this script by monitoring for invocations through Windows Script Host, specifically checking for `cscript.exe` or `wscript.exe`. In essence, it captures any command-line activities that include the execution of 'gatherNetworkInfo.vbs', thereby alerting defenders to potential misuse of this legitimate system utility. The detection criteria specify that both the image paths and command line parameters must meet certain conditions for an alert to be triggered, minimizing false positives which may arise from legitimate administrative automation tasks.