This detection rule identifies potential lateral movement attempts that leverage the Remote Procedure Call (RPC) mechanism to create or execute scheduled tasks via the AT Service (ATSvc). Specifically, it monitors for alerts generated by the RPC Firewall when remote RPC calls are made with specific event logging criteria. The target Interface UUID is essential, as it filters the RPC calls to those related to scheduled task operations (AT Service). By focusing on the EventLog 'RPCFW' and Error Events from the RPC Firewall, the rule effectively flags activities that match both OpNum 0 (for creating a task) and OpNum 1 (for executing a task) in remote scenarios, indicating potential malicious lateral movement. Moreover, the technique referenced corresponds to the ATT&CK framework lateral movement techniques, specifically T1053 for scheduled tasks and T1053.002 for the Windows specific implementations.