This detection rule identifies the execution of PowerShell commands that utilize a specific flag sequence typical of the Wmiexec utility, which is commonly employed in lateral movement and defense evasion tactics during attacks. The rule looks for the presence of flags that disable certain PowerShell features (e.g., -NoProfile, -NoLogo, -sta for STA mode) and enforce command execution bypassing security mechanisms. The presence of such a command-line pattern can indicate malicious behavior related to the exploitation of WMI (Windows Management Instrumentation) for remote command execution on Windows systems. The detection leverages the command line arguments provided to the created process, focusing specifically on flags that align with the characteristics of Wmiexec operations.