This rule aims to detect instances where the Windows Management Instrumentation Command-line (WMIC) utility is executed with the 'computersystem' flag. The command typically retrieves information about the computer system, including details such as the domain, username, model, and other system characteristics. The rule works by monitoring process creation logs for specific patterns associated with the WMIC command. It flags executions of 'wmic.exe' that include the string 'computersystem' in their command line, which could indicate potential reconnaissance activity as attackers often use such commands to gather information about the target environment. The elevated privileges required to run WMIC imply that this kind of system information may be accessed during a malicious activity, emphasizing the need for monitoring and alerting on this behavior. Classification as a medium-level alert is based on the action being a common technique in reconnaissance phases of cyberattacks. The detection is done via log data from Windows systems, specifically focusing on process creation logs.