The detection rule 'Remote WMIC Query' is designed to identify unauthorized remote management activity using the Windows Management Instrumentation Command-line (WMIC) tool. WMIC is a powerful feature in Windows environments that enables command-line access to management information. Adversaries may leverage WMIC to gather data from local and remote systems and execute files as part of lateral movement. This rule specifically targets WMIC commands executed with the '/node' switch, which indicates attempts to interact with remote systems. The detection logic queries logs from the CrowdStrike Falcon Data Repository (FDR) for process creation events occurring within the last two hours where the command line argument contains '/node:'. The rule is associated with specific threat actors, namely Earth Estries and Flax Typhoon, who have been known to utilize these tactics for reconnaissance and lateral movement. The application of this rule is vital for enhancing security monitoring and response capabilities in Windows environments.