This detection rule identifies suspicious creation of scheduled tasks in Windows that involve the usage of temporary folders. Specifically, it captures when the '\schtasks.exe' command is executed with parameters that command the system to create a scheduled task running only once, while specifying a path that includes the '\Temp\' directory. The rationale behind this detection is rooted in various attack methodologies that leverage temporary directories to execute malicious payloads. Given that tasks created in such temporary spaces can often signal illicit behavior, this rule serves as a crucial element for endpoint protection strategies. False positives are recognized for scenarios involving regular administrative activities or legitimate software installations that also utilize scheduled tasks.