This detection rule is aimed at identifying unauthorized creation of scheduled tasks in a Windows environment that could signal an adversary's attempt to maintain persistence. The rule operates by monitoring for events where scripts executed through either 'cscript.exe', 'wscript.exe', or 'powershell.exe' are used to create a scheduled task. The process tracking is achieved through a sequence query that detects task-related activity specifically involving the task management DLL (`taskschd.dll`). If such activities occur alongside corresponding changes in the Windows Registry where these tasks' actions are logged, the rule triggers an alert. The risk score assigned is medium (47), reflecting the potential severity of this activity. False positives can arise from legitimate software installations that create scheduled tasks. For investigation, analysts are encouraged to decode the base64 encoded values in the Registry to understand the actions tied to the created tasks, which aids in differentiating between malicious and benign task creation.