This detection rule is designed to identify potential lateral movement activities utilizing the Distributed Component Object Model (DCOM) in Windows environments. Specifically, it focuses on the use of the MMC20 Application COM Object to execute commands from a remote host, which can be indicative of attackers leveraging DCOM for unauthorized access and control. The rule employs an EQL (Event Query Language) query that monitors sequences of network activity and process initiation, emphasizing traffic from external sources to the local host where 'mmc.exe' is running. By analyzing network connections, particularly those involving high-numbered ports (49152 and above), and the creation of processes spawned by 'mmc.exe', the rule aims to flag suspicious behavior that may suggest lateral movement or evasion tactics by adversaries. Given its high severity score of 73, this rule necessitates careful monitoring for any indications of misuse of DCOM protocols within an organization’s infrastructure.