The 'Rare Scheduled Task' rule focuses on detecting suspicious behavior associated with the creation and execution of scheduled tasks in Windows, which can be utilized by adversaries for executing malicious payloads at specified times. The rule specifically targets Event IDs 4702, 4700, and 4698 from the Windows Event Logs, which indicate changes to scheduled tasks. Utilizing a series of regex extractions, the rule captures details such as process names and execution arguments, filtering to find instances where a task name is created or modified only once, indicating potentially malicious behavior. Associated threat actors include APT33, APT34/OilRig, and FIN7, and pertinent malware includes BianLian, Clop, and Trickbot. The rule aims to enhance detection of activities that exhibit behaviors linked to task scheduling anomalies, relevant particularly to persistence and privilege escalation techniques. Five atomic tests corresponding to the relevant technique (T1053.005) are also outlined to support validation of the detection methodology.