This rule detects instances where the Windows command line utility `schtasks.exe` is used to create scheduled tasks by user accounts. The detection is triggered when a process creation event corresponds to the `schtasks.exe` executable and includes the `/create` command-line argument, indicating task creation. To reduce false positives, mainly administrative activities and legitimate software installations, the rule filters events based on specific user accounts ('AUTHORI' or 'AUTORI') being involved in the task creation process. If these conditions are satisfied, an alert is generated, as unauthorized or suspicious use of `schtasks.exe` for task creation may indicate an attempt to persist malicious activities or escalate privileges within a Windows environment.