diff --git a/windows/builtin/alert_mimikatz_keywords.yml b/windows/builtin/alert_mimikatz_keywords.yml
index 2955dd01d..a147d065b 100644
--- a/windows/builtin/alert_mimikatz_keywords.yml
+++ b/windows/builtin/alert_mimikatz_keywords.yml
@@ -14,7 +14,7 @@ detection:
         - privilege::debug
         - sekurlsa::logonpasswords
         - lsadump::sam
-    condition: selection[0] and 1 of keywords
+    condition: selection and 1 of keywords
 falsepositives:
     - Naughty administrators
     - Penetraion test
diff --git a/windows/builtin/av_relevant_match.yml b/windows/builtin/av_relevant_match.yml
index 8c62806ab..41c70b40f 100644
--- a/windows/builtin/av_relevant_match.yml
+++ b/windows/builtin/av_relevant_match.yml
@@ -28,7 +28,7 @@ detection:
         - Keygen
         - Crack
     condition:
-        selection[0] and 1 of keywords and not 1 of filters
+        selection and 1 of keywords and not 1 of filters
 falsepositives:
     - Some software piracy tools (key generators, cracks) are classified as hack tools
 level: 70
\ No newline at end of file
diff --git a/windows/builtin/susp_eventlog_cleared.yml b/windows/builtin/susp_eventlog_cleared.yml
index 400485e55..42c65e1f9 100644
--- a/windows/builtin/susp_eventlog_cleared.yml
+++ b/windows/builtin/susp_eventlog_cleared.yml
@@ -6,7 +6,7 @@ detection:
           EventID:
               - 517
               - 1102
-    condition: selection[0]
+    condition: selection
 falsepositives:
     - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
     - System provisioning (system reset before the golden image creation)
diff --git a/windows/builtin/susp_failed_logon_reasons.yml b/windows/builtin/susp_failed_logon_reasons.yml
index e582ffef3..b606382b5 100644
--- a/windows/builtin/susp_failed_logon_reasons.yml
+++ b/windows/builtin/susp_failed_logon_reasons.yml
@@ -12,7 +12,7 @@ detection:
               - 0xC0000070
               - 0xC0000413
               - 0xC000018C
-    condition: selection[0]
+    condition: selection
 falsepositives:
     - User using a disabled account
 level: 70
\ No newline at end of file
diff --git a/windows/builtin/susp_failed_logons_single_source.yml b/windows/builtin/susp_failed_logons_single_source.yml
index 3e96ced9a..05974518a 100644
--- a/windows/builtin/susp_failed_logons_single_source.yml
+++ b/windows/builtin/susp_failed_logons_single_source.yml
@@ -10,7 +10,7 @@ detection:
           UserName: not null
           SourceWorkstation: not null
     timeframe: last 24h 
-    condition: selection[0] | ( count(UserName) by SourceWorkstation ) > 3
+    condition: selection | ( count(UserName) by SourceWorkstation ) > 3
 falsepositives:
     - Terminal servers
     - Jump servers
diff --git a/windows/sysmon/susp_mmc_source.yml b/windows/sysmon/susp_mmc_source.yml
new file mode 100644
index 000000000..97e18dc69
--- /dev/null
+++ b/windows/sysmon/susp_mmc_source.yml
@@ -0,0 +1,15 @@
+description: Proceses created by MMC 
+comment: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
+reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
+detection:
+    selection:
+        - EventLog: Microsoft-Windows-Sysmon/Operational
+          EventID: 1
+          ParentImage: '*\mmc.exe'
+          Image: '*\cmd.exe'
+    exclusion:
+        - CommandLine: '*\RunCmd.cmd'
+    condition: selection and not exclusion
+falsepositives:
+    - unknown
+level: 70
\ No newline at end of file