The rule identifies the potential malicious use of the WMIC command-line tool, specifically targeting non-interactive uninstallation of applications. This detection rule leverages data from EDR agents to monitor for specific WMIC command patterns that are commonly associated with malicious behavior, especially in the context of the IcedID malware campaign. Uninstalling security applications non-interactively is unusual and could signify an attempt by attackers to evade detection. The rule tracks command-line activity that matches the typical syntax used to uninstall applications silently and alerts on such activity. Confirming the occurrences may aid in detecting threats aiming to disable security defenses, enhancing the ability to mitigate risks related to persistence and further compromise of the environment.