This detection rule aims to identify the execution of the Windows Management Instrumentation Command-line (WMIC) tool for querying information from a remote system. WMIC is a powerful command-line interface that allows administrators to manage Windows systems, but it can also be exploited by attackers to perform reconnaissance on systems and execute commands remotely. The detection mechanism is based on capturing instances where WMIC is called with specific parameters that indicate a remote query, particularly focusing on the usage of the '/node:' parameter. Additionally, the rule filters out instances where the localhost is accessed to minimize false positives. If WMIC executions with a remote node specified are detected, this could indicate potentially malicious activity. The rule is designed for use in Windows environments and aims to provide visibility into potentially abusive usage of WMIC to enhance security monitoring and response efforts.