This detection rule aims to identify potential lateral movement by monitoring GPO (Group Policy Object) scheduled tasks, which can be a technique used by attackers to deploy ransomware across multiple systems. The rule focuses on specific event IDs associated with changes to GPOs (EventID 5136) and the creation of evidence of scheduled tasks (EventID 5145). The first selection checks attributes related to machine and user extensions within GPOs for specific GUIDs indicative of malicious activity. The second selection looks for file share access on the SYSVOL directory, particularly for a file named 'ScheduledTasks.xml', checking for write operations that might indicate unauthorized task creation or modification. Alerts are triggered when any of the specified conditions are met, highlighting potential unauthorized manipulation of GPO scheduled tasks. A high alert level is assigned due to the urgency of responding to possible ransomware deployment scenarios. This rule is particularly significant for Windows environments, where GPOs are commonly used for task automation and management.