This detection rule is designed to identify suspicious activity related to system enumeration using Windows Management Instrumentation Command-Line (WMIC). Malicious actors often execute WMIC commands to gather detailed information about the operating system and hardware configuration, which may include details like operating system version, installed patches, and system architecture. The ability to perform such discovery can provide adversaries with insight into potential weaknesses that they could exploit for further malicious activities. This rule specifically looks for multiple occurrences of WMIC executions within a short timeframe, suggesting automated or scripted behavior typical of reconnaissance activities by threat actors such as Volt Typhoon. By monitoring these patterns, the rule aims to flag potential malicious system enumeration attempts that may indicate a preparatory phase for a more complex attack.