This detection rule identifies suspicious scheduled task creation events on Windows systems through monitoring Event ID 4698. The rule aims to highlight potentially malicious activities based on specific attributes found within the creation of these tasks, including the paths used and command line flags that are indicative of script execution or abuse of legitimate features for persistence and privilege escalation. It integrates selections checking for unusual directories that are commonly used for temporary files or public access, as well as a series of executable names and argument patterns that are frequently associated with malicious behavior. To ensure effectiveness, the Advanced Audit Policy for Object Access must be enabled, and it is advisable to extract pertinent command information from the embedded XML of the event data.