This detection rule identifies potentially malicious scheduled tasks created to execute files located in the AppData Local folder on Windows systems. It specifically looks for instances of the 'schtasks.exe' program, which is used to create, delete, configure, or display scheduled tasks. The rule flags any execution command that attempts to run a process from a path associated with 'C:\Users\<USER>\AppData\Local', especially if it involves commands structured to run under the system account. The rule filters out benign uses of the command when it is launched from specific known safe contexts, such as when executed by 'TeamViewer_.exe' or from temporary directories. Given that malware often uses the AppData folder to evade detection, this rule aims to capture suspicious attempts to schedule these tasks, indicative of an attack or persistent malware presence.