This detection rule identifies the execution of scripts via Windows Management Instrumentation (WMI), particularly monitoring the process 'scrcons.exe'. It leverages data from Endpoint Detection and Response (EDR) agents to monitor process creation events. WMI script execution is relevant due to its common use by attackers attempting to conduct operations stealthily, such as compromising systems, exfiltrating data, or establishing persistence. A confirmed malicious event could allow attackers to execute arbitrary code, escalate privileges, or maintain access over the environment. Analysts are encouraged to differentiate between legitimate administrative activity and potential threats to reduce false positive incidents and enhance threat detection accuracy.