This detection rule is focused on monitoring the creation of scheduled tasks using PowerShell, a common technique leveraged by adversaries for persistence on Windows systems. It targets specific cmdlets associated with the creation and management of scheduled tasks, such as 'New-ScheduledTaskAction', 'New-ScheduledTaskTrigger', and 'Register-ScheduledTask'. The rule will identify any use of these cmdlets in PowerShell scripts that could indicate an attempt to schedule malicious tasks for execution. Additionally, it includes a CIMMETHOD selection to detect the use of the 'Invoke-CimMethod' command to manage scheduled tasks, reinforcing the monitoring of this particular attack vector. The rule requires that Script Block Logging is enabled on the monitored systems to function correctly and generate alerts when suspicious activity is detected.