This detection rule identifies the presence of WMI (Windows Management Instrumentation) command line event consumers, which are often used as a persistence mechanism by attackers. The rule focuses on monitoring the Windows image `WmiPrvSE.exe`, which is the WMI provider service, and checks for the associated DLL `wbemcons.dll` that is loaded during its execution. By detecting this specific behavior, the rule aims to uncover malicious activities that exploit WMI for unauthorized persistence on compromised systems. The rule utilizes a selection condition based on the image path and checks if a specific DLL is loaded, which is indicative of potential misuse. This technique is associated with common attack patterns involving persistence mechanisms as defined in MITRE ATT&CK, particularly under T1546.003. The rule is still in a testing phase, acknowledging potential false positives due to limited dataset size, recommending further testing before full deployment.