This detection rule identifies the creation of WMI Event Subscriptions, a technique often leveraged by attackers to establish persistence and escalate privileges on Windows systems. The rule specifically monitors Sysmon logs for EventIDs 19, 20, and 21. EventID 19 pertains to the creation of an Event Filter, EventID 20 refers to the creation of an Event Consumer, and EventID 21 involves the binding of an Event Filter to an Event Consumer. The significance of detecting these events lies in the potential for an attacker to execute malicious code with elevated SYSTEM privileges, potentially maintaining long-term access to the compromised system. The rule is implemented via a Splunk query, analyzing EventID 20 occurrences and allowing for subsequent investigations based on identified trends.