This detection rule identifies instances where the MOFComp.exe executable is used to load Managed Object Format (MOF) files via Windows Management Instrumentation (WMI). This behavior is often initiated by command-line interfaces such as cmd.exe or PowerShell, or invoked from atypical locations like user profile directories. The analytic leverages endpoint detection and response (EDR) data, focusing on analyzing the process and its parent processes, as well as the command-line arguments passed to the executables in question. Monitoring such activity is critical, as it can signify an attempt by an attacker to exploit WMI for maintaining persistence, executing arbitrary code remotely, or moving laterally within the environment. The detection utilizes Sysmon, Windows Security Event logs, and data from CrowdStrike, employing a combination of event IDs and process names to filter relevant events, while also employing the Splunk Common Information Model (CIM) to ensure consistent data normalization and analysis.