This analytic rule detects the execution of PowerShell commands intended to instantiate processes on remote endpoints using DCOM (Distributed Component Object Model). It specifically targets the 'ShellExecute' and 'ExecuteShellCommand' methods that adversaries might exploit to achieve lateral movement and remote code execution within a network. The detection leverages data from various Endpoint Detection and Response (EDR) agents, focusing on key indicators such as process names, parent processes, and command-line arguments. Identifying such activities is critical, as they may indicate malicious intent to execute arbitrary code remotely and escalate privileges, representing a significant cybersecurity threat. The rule utilizes Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike’s ProcessRollup2 data sources to monitor for these potentially dangerous interactions.