This detection rule identifies malicious activities related to the hijacking of the Microsoft Compatibility Appraiser's scheduled task, named CompatTelRunner.exe. This task is typically leveraged by adversaries to establish persistence on Windows systems by executing unauthorized code with system-level privileges. This rule employs Event Query Language (EQL) to monitor process initiation events where the parent process is CompatTelRunner.exe and examines for specific command-line arguments indicative of malicious intents. A certain level of risk (score of 73) is assigned given the severity of the potential compromise. The rule outlines both the needed data sources for effective monitoring, including Windows telemetry, and specifies a set of legitimate processes to exclude from alerts to reduce false positives. Actionable steps for incident response and investigation are detailed, allowing analysts to manage threats appropriately while maintaining awareness of legitimate administrative activities.