The rule detects reconnaissance activity that utilizes Remote Procedure Call (RPC) to access scheduled task information through SASec. It specifically monitors for RPC calls which are ideally shielded by the RPC Firewall, a tool necessary for execution. By assessing the logs generated from the RPC Firewall, this rule triggers on specific event log entries indicating attempts to read scheduled tasks remotely. The detection is accomplished by filtering EventLog entries where the source is RPCFW, and the EventID matches 3, while excluding operations outside of the designated numbers 0 and 1 which are typically associated with valid RPC interactions. By applying this rule, organizations can effectively identify and respond to potential lateral movement tactics employed by adversaries attempting to gather system information.