This analytic detection rule targets the creation of scheduled tasks within user-writable paths on Windows systems, specifically monitored using Security Event Code 4698. It utilizes data from Windows Event Logs to track any scheduled tasks created via the command-line tool schtasks.exe or the TaskService. The focus is on paths such as 'Public', 'ProgramData', 'Temp', and 'AppData', which are typically accessible to all users. Such actions are scrutinized because they can indicate behavior consistent with establishing persistence or executing unauthorized commands, potentially granting attackers prolonged access, the ability to escalate privileges, or execute arbitrary code on compromised hosts. The rule is therefore essential for identifying possible malicious activities that threaten system security and integrity.