This rule monitors for blocking of process creations that originate from PSExec and Windows Management Instrumentation (WMI) commands, which are commonly abused for lateral movement and executing malicious commands remotely within a network. It utilizes Windows event logs, particularly looking for EventID 1121, which indicates that a process creation has been blocked by the Attack Surface Reduction (ASR) feature of Windows Defender. Specifically, the rule checks for processes with names ending in 'wmiprvse.exe' or 'psexesvc.exe', thereby targeting known processes that can be misused for unauthorized remote execution or malware propagation. The detection condition is straightforward and operates under the premise that blocking these processes can prevent potential execution of threats that exploit WMI and PSExec functionalities. This rule is pertinent organizations that wish to enhance their endpoint security and mitigate risks associated with attack vectors that misuse these common administrative tools.