This detection rule is designed to identify potentially malicious PowerShell activity indicative of persistence mechanisms leveraged by attackers. Specifically, the rule focuses on PowerShell commands executed via the Windows Task Scheduler that employ certain flags aimed at obscuring the execution of the commands. These flags include options that hide the PowerShell window and modify its execution environment, which can indicate an attempt to hide malicious activity or maintain persistence on the system. One recognized technique associated with this pattern is similar to the "Get-Variable" technique utilized by the Colibri Loader malware. Given the nature of this detection, it is imperative for organizations to monitor for activities that fit this profile to mitigate risks associated with PowerShell-based persistence attacks.