This detection rule identifies potentially malicious modifications to scheduled tasks on Windows systems. Attackers may initially create benign-looking scheduled tasks to evade detection. However, they can modify these tasks later to execute malicious payloads from suspicious directories. This rule monitors for the usage of the 'schtasks.exe' command, particularly any commands that suggest alterations to existing tasks with parameters indicating changes ('/Change' and '/TN'). Additionally, the rule checks for command line arguments that originate from known suspicious locations such as temporary directories or public-facing locations, as these are commonly exploited by attackers. The rule classifies command lines containing commonly abused execution methods or utilities (like 'regsvr32', 'powershell', etc.) as potentially harmful. A detection occurs when any of the defined suspicious behaviors, concerning the selection of task changes or execution from suspicious locations, occur together. The expected output from this rule is ideally zero, with any positive detection requiring further investigation.