This detection rule identifies potential persistence mechanisms utilized by attackers via the execution of the `VMwareToolBoxCmd.exe` executable in a Windows environment. The rule focuses on detecting specific command-line arguments, namely `script` and `set`, suggesting that a script located in a directory that is commonly associated with temporary or less trusted locations is being set to execute based on the state changes of a VM (virtual machine). The targeted directories for the scripts include `PerfLogs`, `Temp`, and `Windows Tasks`, which are often used to hide malicious scripts. The detection uses a combination of specific image paths and command-line properties, ensuring that the identified activity strictly matches the conditions likely indicative of a persistence attempt. By detecting these characteristics, the rule can assist in mitigating risks associated with unauthorized script executions that could lead to prolonged access or control of a system. The rule has been authored by Nasreddine Bencherchali from Nextron Systems and is documented for use in environments utilizing VMware products, highlighting the importance of monitoring for unusual activity related to VM management tools.