This detection rule aims to identify instances of the Microsoft Management Console (MMC) executing files that may be maliciously disguised using Right-to-Left Override (RLO) abuse. The exploitation involves altering file names so that they can appear as legitimate document formats (e.g., .pdf, .doc) while actually being executables or scripts. By utilizing RLO characters, attackers can manipulate how file names are rendered, leading to potential risks of executing harmful payloads when users mistakenly run these files thinking they are safe. This rule specifically monitors the execution of `mmc.exe`, which is often used for administrative tasks on Windows systems, by scrutinizing the command-line arguments provided to it. In particular, the rule looks for specific Microsoft Management Console snap-ins that are being called with RLO-manipulated file extensions.