This detection rule targets the potential misuse of WMI (Windows Management Instrumentation) script event consumers for persistence techniques in an attack scenario. Specifically, it detects file write operations executed by the WMI script event consumer executable, `scrcons.exe`, located in the `C:\WINDOWS\system32\wbem` directory. The WMI script event consumer allows scripts to be executed in response to WMI events, which can be exploited by attackers to maintain access and control over compromised systems. The rule monitors file events and triggers an alert when the script consumer attempts to create or modify files, indicating a potential backdoor installation or configuration manipulation. The detection level set to high signifies the elevated risk associated with this behavior, necessitating prompt investigation. To ensure effective detection, false positives from legitimate applications, such as Dell Power Manager's executable, are acknowledged and should be filtered accordingly. This rule is part of a larger effort to enhance the security posture against persistence techniques that utilize Windows native features.