This detection rule aims to identify the creation of scheduled tasks in the Windows System32\Tasks directory originating from processes executed in locations that are commonly deemed suspicious. Notably, the rule focuses on detecting writes that lead to the creation of tasks, which are essential for maintaining persistence on Windows systems. The rule utilizes file event logs to track any attempts to modify or create task files in the specified directory. It particularly monitors if the target file path contains System32\Tasks and if the initial process (image) for the task creation is executed from directories like \AppData\, C:\PerfLogs, or \Windows\System32\config\systemprofile, which are often associated with malicious actors attempting to evade detection by running executables from less typical directories. By targeting these conditions, the rule aims to mitigate the risk of unauthorized persistence mechanisms employed by attackers.