This detection rule identifies potential lateral movement activities within a Windows environment by monitoring process creation events, specifically focusing on the creation of PowerShell instances as children of the WMI Provider Service (WmiPrvSE.exe). WMI is commonly used for system management and can be exploited for lateral movement by attackers seeking to execute commands on remote systems. In this rule, a WMI-initiated PowerShell process may indicate that an attacker is attempting to use WMI as a means to traverse a network or execute scripts on another system. The detection logic checks if the parent process is WmiPrvSE.exe and subsequently verifies if the spawned child process is either PowerShell (powershell.exe or pwsh.exe) by analyzing process creation logs. Possible legitimate applications that might trigger false positives, such as AppvClient, Configuration Manager (CCM), and Windows Remote Management (WinRM), have been noted.