The detection rule identifies the execution of XSL scripts via WMIC (Windows Management Instrumentation Command-line), a method leveraged by attackers, notably the FIN7 group, to execute malicious payloads. It correlates data sourced from Endpoint Detection and Response (EDR) agents, particularly focusing on command lines that involve WMIC processes and XSL files. The rule detects suspicious command-line executions by utilizing Sysmon EventID 1 and Windows Event Log Security Event ID 4688, marking it as a potential indicator of compromise (IoC). The rule can help organizations detect and respond to unauthorized script executions that could lead to system compromise.