This detection rule is designed to identify unauthorized remote task creation attempts on Windows systems through the ATSVC named pipe. It leverages the capabilities of Zeek, which is a network security monitoring tool, to analyze traffic patterns typically associated with lateral movement attacks. In particular, the rule looks for interactions with the at.exe command or relevant API calls that utilize the ATSVC named pipe, which is often exploited by attackers to schedule tasks remotely. The identification process involves monitoring SMB file service communications for specific metadata indicating these API calls. If detected, these events are flagged for further investigation as they could signify malicious activity intended to control or manipulate systems remotely.