This detection rule identifies the creation of scheduled tasks on Windows systems initiated through PowerSploit or Empire frameworks, often used for persistence and privilege escalation by attackers. It leverages specific command-line arguments typically associated with the execution of the 'schtasks.exe' process. In particular, it focuses on parent processes of 'powershell.exe' or 'pwsh.exe' that run 'schtasks.exe' with command-line arguments that suggest the task creation is orchestrated by an attacker, such as '/Create', '/SC ONLOGON', and variations of scheduling options like '/SC DAILY', '/SC HOURLY', or '/SC ONIDLE'. The rule is designed to filter on specific command patterns that are significantly indicative of malicious activity. The potential for false positives is considered low, making it a reliable method for threat detection in environments where scheduled tasks are controlled and monitored.