This detection rule identifies the use of the 'schtasks.exe' command on Windows systems to schedule forced reboots. Specifically, it looks for instances where the command is executed with the 'shutdown' parameter and the '/create' flag. The analysis is based on process data generated by endpoint monitoring tools such as Sysmon and Windows Event Logs, particularly focused on Event ID 1 for process creation and security event ID 4688 which logs process launches. Monitoring such activities is critical as they may signify malicious attempts by adversaries to disrupt operational continuity, force system downtime, or facilitate further exploitation post-reboot. If detected, it necessitates immediate investigation to determine if the actions are legitimate or potentially harmful, as confirmed cases could lead to significant system impact including data loss or provision of a platform for additional attack vectors.