This detection rule identifies potentially malicious activity involving uncommon execution of Living Off The Land Binaries (LOLBINs) from scheduled tasks in a Windows environment. It focuses on monitoring the Task Scheduler service and checks for specific Event IDs (129) indicating that a task executed an executable from a list of common system binaries that can be abused for persistence or other malicious purposes. These binaries, such as \calc.exe, \cscript.exe, and others, are typically benign but can be exploited by attackers to evade detection. The detection rule triggers when an execution path for these binaries is found that suggests the file is located in a suspicious location or is an unexpected choice for a scheduled task. This helps in identifying potential persistence mechanisms employed by threat actors. It's important to note that while this rule is effective, it may produce false positives if legitimate scheduled tasks are using the identified binaries, thus requiring careful filtering of trusted tasks before implementation.