This detection rule is designed to identify instances where the Windows executable `mmc.exe` (Microsoft Management Console) spawns processes associated with the Living Off The Land Binaries and Scripts (LOLBAS) project, which highlights Windows native binaries that can be used maliciously by adversaries. The rule specifically targets process creation events attributed to `mmc.exe` as the parent process, indicating potential exploitation of the DCOM protocol and COM objects like MMC20 to execute unwanted or malicious commands. This behavior can signify lateral movement within a network, as attackers may leverage trusted processes to carry out remote command execution, thereby allowing further system compromise and persistence. The rule utilizes data sourced from EDR agents, focusing on relevant logs such as Sysmon EventID 1, Windows Event Log Security 4688, and CrowdStrike ProcessRollup2, ensuring comprehensive coverage of process creation events in the system.