title: Processes created by MMC 
status: experimental
description: Processes started by MMC could by a sign of lateral movement using MMC application COM object 
reference: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        ParentImage: '*\mmc.exe'
        Image: '*\cmd.exe'
    exclusion:
        CommandLine: '*\RunCmd.cmd'
    condition: selection and not exclusion
falsepositives:
    - unknown
level: medium