This detection rule focuses on identifying unauthorized remote task creation attempts on Windows systems using the 'at.exe' command or Windows APIs that interact with the ATSVC named pipe. The ATSVC (Advanced Task Scheduler Service) is responsible for managing scheduled tasks in Windows environments. It can be exploited to create tasks remotely, potentially leading to lateral movement within a network. The rule looks for Event ID 5145, which indicates that an object was accessed, particularly focusing on access to the IPC$ share where the ATSVC is expected to reside. If a remote write operation is detected on this share targeting the atsvc named pipe, it triggers the rule, marking it as a potential security incident. Configuring the advanced audit policy for Object Access to track this activity is crucial for ensuring the rule's effectiveness. This detection is pertinent in environments where unauthorized task manipulation could compromise system integrity and facilitates persistence by attackers in compromised environments.