This detection rule aims to identify the creation or modification of Group Policy Objects (GPOs) scheduled tasks or services in Windows environments. These tasks and services, while essential for legitimate system administration, can be abused by attackers with domain admin privileges to deploy malicious payloads across domain-joined machines. The rule uses the EQL language to query specific log data from various sources, filtering for changes in files pertinent to scheduled tasks and services within designated GPO paths. It excludes legitimate process modifications (like those by dfsrs.exe) to reduce false positives. The risk score is set to low, indicating that while these actions could signify a potential threat, they may also be part of normal administrative functions. The rule is categorized under tactics of Privilege Escalation and Persistence, drawing from the MITRE ATT&CK framework. This detection not only aids in identifying potentially nefarious changes but also serves as a basis for further investigation and analysis to differentiate between legitimate and unauthorized activities.