This detection rule is designed to identify the use of the Windows Management Instrumentation Command-line (WMIC) tool by malicious actors who may be attempting reconnaissance on installed antivirus and firewall products within a Windows environment. The rule focuses on monitoring process creation events, particularly the execution of WMIC. The key indicators for triggering this rule include the command line containing terms such as 'AntiVirusProduct' or 'FirewallProduct' and the execution of the wmic.exe image. Given that WMIC can be used legitimately in systems administration, it is crucial to balance detection sensitivity to avoid excessive false positives.