This detection rule identifies potential backdoor persistence mechanisms by monitoring the creation or modification of scheduled tasks using the 'schtasks' command on Windows systems. It leverages various Windows event codes to filter relevant logs, particularly focusing on PowerShell executions that involve schtasks commands. The logic accounts for commands intended to create or change scheduled tasks, including those made through PowerShell script operations. It captures pertinent details such as user accounts invoking these changes and the nature of the schtasks command executed. Notably, this rule is linked to a variety of threat groups, indicating its relevance for detecting tactics used by advanced persistent threats (APTs) and other malicious actors who utilize scheduled tasks for persistence and execution. The detection applies multiple regular expressions to extract relevant fields, making it comprehensive in processing the command line data extracted from logs.