This detection rule aims to identify the use of the Invoke-DCOM PowerShell script, which enables attackers to leverage the Distributed Component Object Model (DCOM) to execute remote commands on Windows systems, thereby performing actions under the context of a valid user account. The adversary can exploit Office applications and other Windows objects that expose insecure methods. This rule focuses on logging events related to PowerShell usage, especially ones that indicate the invocation of DCOM-related functionalities, which are characterized by specific event codes (4103, 4104) and application identifiers. To improve detection accuracy, it is recommended to enable PowerShell logging. It is crucial for analysts to monitor how commands are executed, particularly in scenarios where a new process is created. The detection incorporates various application functions and identifiers that relate to DCOM executions, thereby capturing suspicious activities associated with lateral movement in a network.