This detection rule identifies the execution of WMIC (Windows Management Instrumentation Command-line) with the 'format' flag, a feature that can be exploited by adversaries to load and execute Extensible Stylesheet Language (XSL) files. By leveraging the WMIC command with specific format arguments not commonly utilized by legitimate users, attackers can execute arbitrary commands while potentially circumventing application whitelisting mechanisms. This is particularly concerning as XSL files are often used to process and render data from XML files, providing a pathway for injecting malicious payloads that could compromise the security of the environment. The detection relies on monitoring process creation events in Windows systems and uses a specific command line pattern to discern potentially malicious executions of WMIC, filtering out known legitimate format arguments to minimize false positives. The rule is part of a testing phase and is attributed to a collaboration among security researchers.