This analytic detection identifies the execution of PowerShell using the Invoke-WmiMethod cmdlet to initiate a process on a remote system via Windows Management Instrumentation (WMI). Detection relies on data provided by Endpoint Detection and Response (EDR) tools, concentrating on process telemetry and command-line executions. This behavior can signify potential lateral movement tactics or unauthorized remote code execution attempts, presenting a risk of attackers executing arbitrary code on remote targets. If validated as a malicious activity, it could enable further infiltrations and establish persistent footholds within the network. The rule utilizes relevant event logs, such as Sysmon EventID 1 and Windows Event Log Security 4688, to track these occurrences effectively and is designed to filter out benign administrative uses of the technique by focusing on patterns indicative of malicious intent.