Skill UI

This skill detects WMI-based lateral movement by analyzing key Windows Security Event ID 4688 and Sysmon Event ID 1 logs. It focuses on identifying suspicious process execution patterns, such as WmiPrvSE.exe spawning unauthorized child processes (cmd.exe, powershell.exe), suspicious command lines, and WMI event subscriptions used for persistence. Ideal for security incident response and threat detection.