This detection rule aims to identify the execution of tasks that are set to run once, which is configured in the Windows Registry. Specifically, it looks for instances where 'runonce.exe' is executed, or when command-line arguments indicative of Run Once tasks are detected. The rule employs a combination of image-based and command-line-based selections to ensure comprehensive detection under varied scenarios. The selected criteria include checking if the image ends with 'runonce.exe' or has a description of 'Run Once Wrapper', alongside monitoring command-line parameters that suggest a Run Once execution context. This is pertinent in the context of attack detection as attackers often use similar methods to evade defenses and launch their payloads repetitively without detection. The rule has been marked with a low alert level, recognizing that false positives could occur, particularly with legitimate administrative or system tasks falling under the same execution patterns. This approach empowers organizations to monitor and potentially block unauthorized or suspect executions of persistent attackers' scripts or binaries that could leverage legitimate Windows functionality in a nefarious manner.