This detection rule identifies instances where `Wsmprovhost.exe` (Windows Management Instrumentation Service Provider Host) spawns child processes associated with Living Off the Land Binaries and Scripts (LOLBAS), which are commonly used by attackers for lateral movement in a Windows environment. The detection leverages data from Sysmon and Windows Event Logs to trace the execution of these processes. If `Wsmprovhost.exe` is observed invoking any of a predefined list of known LOLBAS executables, it raises a potential alert for lateral movement attempts through Windows Remote Management (WinRM). This behavior is alarming as it may signal an adversary deploying malicious actions such as arbitrary code execution, privilege escalation, or establishing a foothold in the network. The rule is applicable in environments where thorough endpoint monitoring using EDR solutions is implemented and includes detailed telemetry of process hierarchy and execution context.