This analytic rule detects the anomalous use of the Get-CimInstance cmdlet invoked with the -ComputerName parameter in Windows PowerShell. It primarily utilizes PowerShell Script Block Logging, which tracks the execution of commands in PowerShell, to capture this specific instance of remote access attempts. When a user executes Get-CimInstance with -ComputerName, it signifies an attempt to gather information from a remote machine, which could indicate unauthorized access by a potential attacker. If such activity is confirmed as malicious, it poses a significant risk as it allows attackers to harvest sensitive data from systems across the network, possibly facilitating lateral movement or further exploitation within the compromised environment. This detection rule is designed to operate with minimal false positives by adopting a low risk score methodology, which allows security teams to monitor such activities effectively while reducing alert fatigue.