WMI-Spawned Command Shell for APT Lateral Movement

Detects cmd.exe or PowerShell processes spawned by WmiPrvSE.exe and executing reconnaissance, enumeration, or persistence commands — a high-confidence APT lateral movement indicator. WMI-spawned shells running enumeration commands are a persistent hallmark of hands-on-keyboard operators including APT3 and other nation-state actors