This rule detects usage of wmic.exe to enumerate or read the Windows Registry via the WMI StdRegProv class read methods (EnumKey, EnumValues, GetStringValue, and related Get/Enum calls). While registry reads are common for legitimate administration, attackers may leverage WMI to perform reconnaissance and uncover sensitive configuration values, credentials, or installed software. Using WMI as an alternative to reg.exe can indicate attempts to evade detection focused on traditional registry query tools. The detection focuses on process creation events for wmic.exe and specific WMI StdRegProv calls (EnumKey, EnumValues, GetBinaryValue, GetDWORDValue, GetExpandedStringValue, GetMultiStringValue, GetQWORDValue, GetSecurityDescriptor, GetStringValue) and related command-line indicators (CheckAccess, EnumKey, EnumValues, etc.). False positives may include legitimate administrative activity. Correlation with other discovery or registry-access activities can improve accuracy.