diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml
new file mode 100644
index 000000000..671662da7
--- /dev/null
+++ b/rules/windows/lateral_movement_dcom_mmc20.toml
@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2020/11/06"
+maturity = "production"
+updated_date = "2020/11/06"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via
+the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move
+laterally.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License"
+name = "Incoming DCOM Lateral Movement with MMC"
+references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"]
+risk_score = 73
+rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a"
+severity = "high"
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
+type = "eql"
+
+query = '''
+sequence by host.id with maxspan=1m
+ [network where event.type == "start" and process.name : "mmc.exe" and
+  source.port >= 49152 and destination.port >= 49152 and source.address not in ("127.0.0.1", "::1") and
+  network.direction == "incoming" and network.transport == "tcp"
+ ] by process.entity_id
+ [process where event.type in ("start", "process_started") and process.parent.name : "mmc.exe"
+ ] by process.parent.entity_id
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"