This detection rule identifies the spawning of LOLBAS (Living Off The Land Binaries and Scripts) processes by `wmiprvse.exe`, a Windows Management Instrumentation (WMI) host process. The rule utilizes data sourced from various endpoint detection mechanisms, including Sysmon and Windows Security logs, to analyze process creation events. The specific focus is on cases where a known LOLBAS binary is launched as a child process of `wmiprvse.exe`. Such activity can indicate malicious actions such as lateral movement or remote code execution when adversaries exploit WMI functionality. If detection is confirmed as malicious, it could suggest an attacker’s attempt to execute arbitrary code, escalate privileges, or achieve persistence within a network, marking it as a severe security threat.