The MMC20 Lateral Movement rule is designed to detect potential lateral movement within Windows environments by monitoring the spawning of the Microsoft Management Console (MMC) application, specifically when it is invoked with the ‘-Embedding’ command line parameter. This command line argument is typically used in the context of inter-process communication (IPC). In this rule, we look for instances where the MMC.exe is launched as a child process of ‘svchost.exe’, which is a common Windows Service Host process. The presence of this particular command line can suggest that an attacker is attempting to leverage MMC for lateral movement, thus indicating a potential security breach. The detection rule leverages process creation event logs to identify these specific patterns and raise alerts accordingly. The high severity level assigned underscores the potential risk associated with unauthorized lateral movement and highlights the importance of prompt investigation.