2024-01-22 by Micah Babinski (@mbabinski), William Rotchford
IBM creates WMI false positives
The data collector periodically runs a command like: cmd.exe /c wmic process call create C:...\datacollectorbin\collectorSrvWatchDog.bat`.
This may trigger detection rules geared towards T1047: Windows Management Instrumentation which look for wmic.exe being used to covertly spawn processes.