This rule detects the execution of WMI (Windows Management Instrumentation) Script Event Consumers, a method commonly employed for persistence by attackers. The detection is based on the invocation of the 'scrcons.exe' process, which is responsible for running WMI event consumers. Specifically, the rule looks for this executable being launched by the 'svchost.exe' process, a common Windows service host, indicating a potential misuse of WMI for malicious purposes. This detection strategy aids in identifying unauthorized persistence mechanisms used by attackers to maintain access on compromised systems. While false positives may occur due to legitimate event consumers, adjustments can be made to minimize these occurrences, particularly on certain Dell systems where brightness changes can trigger legitimate events.