This detection rule identifies the creation of an ActiveScriptEventConsumer through the Windows Management Instrumentation Command-line (WMIC) tool, which can potentially be a sign of malicious persistence mechanisms on Windows systems. The rule looks for specific command line arguments used during the WMIC process creation that are indicative of the establishment of event consumers. This technique is associated with various attack patterns enabling attackers to maintain persistence on compromised systems. The key implementation involves monitoring the WMIC executions for arguments that include 'ActiveScriptEventConsumer' along with 'CREATE', suggesting the creation of a new event consumer. While this action can be legitimate, the alert level is set to high because it can be exploited in advanced persistent threats (APTs) to ensure that malicious scripts run automatically, thus facilitating continued access to the target environment. The author, Florian Roth from Nextron Systems, originally crafted this detection rule to help security professionals identify the abuse of WMIC that could indicate potential unauthorized activities. Organizations should be cautious, as legitimate software may also utilize this functionality.