This anomaly detects Windows WMIC (Windows Management Instrumentation Command-line) usage that targets common Win32 WMI classes to perform reconnaissance and system information discovery on endpoints. It specifically flags command-line WMIC invocations querying classes such as Win32_OperatingSystem, Win32_Processor, Win32_DiskDrive, Win32_PhysicalMemory, Win32_Bios, Win32_BaseBoard, Win32_PnPEntity, Win32_DisplayConfiguration, Win32_ShadowCopy, Win32_VideoController, csproduct, Win32_DiskDrive, and related hardware/OS configuration data. Adversaries commonly use these queries post-exploitation to fingerprint hosts, assess virtualization, and tailor follow-on activity. Although WMIC usage can be legitimate for inventory, the rule highlights suspicious or unexpected execution, especially when performed by non-administrative users or from uncommon parent processes. The detection correlates process creation events with WMIC activity and the presence of WMI-related query strings to identify reconnaissance attempts. Data is collected from multiple sources (Sysmon EventID 1, Windows Security Event 4688, and CrowdStrike ProcessRollup2) and normalized to the Endpoint Processes data model. The Splunk search filters for WMIC.exe (by process_name or original_file_name) and a matching set of WMI class queries, while also considering parent process context to distinguish potentially malicious from legitimate admin activity. The approach uses the CIM-based normalization to enable cross-EDR telemetry correlation and outputs details such as process, parent process, user, and destination host to enable rapid investigation. The rule is associated with MITRE ATT&CK technique T1047 (WMIC). The detection includes drilldown options and risk-based annotations to facilitate triage and historical risk review. False positives may occur from legitimate administrative or inventory tasks performed via WMIC. To reduce noise, ensure data ingestion includes complete command lines and accurate parent-child process relationships from compatible EDRs, and apply appropriate baselining for trusted admin activity.