This detection rule aims to identify unauthorized remote procedure calls (RPC) that are indicative of remote Distributed Component Object Model (DCOM) operations, which could be exploited for lateral movement within a network. By monitoring specific event logs generated by the RPC Firewall, the rule captures attempts to utilize DCOM or Windows Management Instrumentation (WMI) to access or manipulate processes on remote machines. The rule's detection criteria focus on events logged from RPCFW, particularly event ID 3, alongside monitoring attempt UUIDs associated with potentially malicious actions. False positive scenarios may arise during legitimate remote administrative tasks, thus tuning may be necessary. The relevance of this rule lies in its alignment with known tactics, techniques, and procedures (TTPs) as documented in various cybersecurity frameworks, notably ATT&CK under techniques for lateral movement (T1021.003) and use of WMI (T1047). This rule therefore provides a proactive measure to detect and mitigate lateral movement threats in Windows-based environments through careful monitoring of remote RPC interactions.