This detection rule monitors for the creation or modification of scheduled tasks on Windows with elevated privileges, specifically those executed under the 'NT AUTHORITY\SYSTEM' account. It is crucial for identifying and mitigating potential misuse of the task scheduler by malicious actors who may attempt to maintain persistence or execute harmful commands at a system level. The rule is predicated on capturing events where the 'schtasks.exe' utility is utilized either to create or alter scheduled tasks. It focuses on command-line parameters to differentiate between legitimate use and potentially malicious activity, filtering out specific known benign tasks associated with TeamViewer and Avira software to reduce false positives. The detection logic comprises several conditions, ensuring that any command that matches the designated patterns is flagged for review. Overall, this rule is part of a broader strategy to enhance security by actively monitoring specific, potentially risky system actions.