This detection rule identifies instances of lateral movement in a network environment through the exploitation of remote procedure calls (RPC) to create or execute scheduled tasks via SASec. It focuses on monitoring the RPC Firewall product, specifically targeting RPC calls characterized by specific UUIDs and operation numbers that correspond to the creation and execution of scheduled tasks. The rule activates when an event log, specifically `RPCFW`, emits an event with Event ID 3 and includes the specified interface UUID corresponding to the scheduled task invocation. Because this type of activity is often associated with lateral movement techniques employed by attackers, the rule serves as a critical defense mechanism in environments where scheduled task manipulation could signify unauthorized remote access and execution attempts. Leveraging the documentation provided by Microsoft and related resources, this rule presents a proactive approach to enhance security postures against such threats.