WMIC Abuse for APT Reconnaissance and Remote Execution

Detects anomalous wmic.exe usage with high-risk arguments typical of nation-state APT actors: remote process execution via /node:, Shadow Copy deletion, and system/network enumeration. Based on TTPs documented by Intel 471 for APT groups abusing WMI for stealthy operations that evade traditional security controls.