This detection rule identifies the execution of `wmic.exe`, a command-line utility used in Windows environments, specifically with arguments related to discovering domain controllers. Such behavior is often leveraged by threat actors to gain insight into the active directory structure, allowing them to target further attacks, identify key systems, and potentially facilitate unauthorized access and data exfiltration. The detection utilizes data from various sources including Sysmon logs and Windows Event Logs to track processes that invoke `wmic.exe`. It evaluates command-line arguments to focus solely on those indicative of domain controller discovery activities. Given the nature of this command, it is crucial for security teams to monitor instances where this command is executed, as it may provide potential indicators of compromise (IoC) when linked to malicious activity. Additionally, necessary implementation involves the ingestion and normalization of logs through the Splunk Common Information Model (CIM) to streamline the detection and alerting process. Properly configuring the detection will help prevent false positives that may arise from legitimate administrative activities.