This detection rule aims to identify activities related to the loading of specific scripting DLLs by the WMI script host process, scrcons.exe. The presence of certain DLLs, like vbscript.dll and wbemdisp.dll, loaded by scrcons.exe is indicative of potential WMI ActiveScriptEventConsumers activities which can facilitate lateral movement and persistence attacks within a Windows environment. This detection is particularly relevant in the context of Windows lateral movement techniques as detailed in multiple threat research sources. The rule specifies a condition to monitor when scrcons.exe loads specific scripting-related DLLs, suggesting suspicious behavior that warrants further investigation. The potential for false positives exists due mainly to legitimate operations of event consumers, particularly on specific hardware configurations, such as Dell computers that may trigger alerts during brightness adjustments. Organizations are encouraged to calibrate this rule according to their operational environment to minimize alerts triggered by benign activities.