This rule targets host reconnaissance activities using the Windows Management Instrumentation Command-line (WMIC) tool, often exploited by threat actors to extract crucial system data. WMIC allows users to query system setups, configurations, and installed applications on Windows machines. In a hostile context, attackers leverage WMIC to assess potential vulnerabilities in target systems, enabling them to optimize their exploitation strategies, escalate privileges, or conduct lateral moves within the network. The detection logic captures instances of WMIC execution filtered by relevant event codes that indicate process creation, focusing on commands that align with common reconnaissance operations related to system information, such as querying for operating system details, disk logical partitions, network shares, or user accounts. This rule primarily uses data derived from endpoint logs and Windows event logs to detect and flag anomalous WMIC activity that could signify an ongoing reconnaissance effort by attackers.