This detection rule identifies the creation of a registry DWORD value named "EnableAt" in the path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration". This modification is crucial because it enables the execution of scheduled tasks via at.exe or wmi Win32_ScheduledJob commands on Windows endpoints. The rule utilizes Sysmon Event IDs 12 and 13, focusing on potential malicious activity where an attacker can schedule tasks to run malicious code at designated times. Continuous monitoring of this registry modification is suggested as part of a proactive security posture, especially considering the possibility of persistent code execution resulting from this alteration.