This detection rule identifies the use of the Windows Management Instrumentation Command-line (WMIC) utility, specifically through its executable file "WMIC.exe," to gather reconnaissance about system disks and volumes. Adversaries can leverage WMIC to extract information such as volume names, sizes, and free space on disks, which can be critical for planning further attacks. The rule was inspired by the observed tactics of threat actors, including groups like Volt Typhoon, who utilized similar commands as part of their reconnaissance strategies. The detection is based on matching command line arguments related to disk volumes and paths to identify these potentially malicious activities.