This detection rule aims to identify the creation of scheduled tasks on Windows systems that exhibit potentially malicious behavior, particularly those that are set to execute only once at midnight (00:00). Scheduled tasks are frequently employed by attackers for maintaining persistence or executing payloads without direct user interaction. Thus, capturing tasks initiated using the Windows Task Scheduler (via 'schtasks.exe') or commands like 'wscript', 'vbscript', and others at the specified time can help in identifying suspicious activity. The determination of such events is made using multiple attributes: the presence of certain executables in the system, specific command lines indicating a one-time task, and the timing set for the tasks to execute. A high alert level signals that these findings should be investigated thoroughly. Established false positives include legitimate software installations, which may also trigger this rule.