This detection rule identifies instances where the Windows Scheduler utility, schtasks.exe, is executed under a renamed binary. Schtasks.exe is commonly used for scheduling tasks in Windows environments, but it is also frequently abused by threat actors as a persistence mechanism. Renaming this legitimate executable helps attackers evade conventional security measures that are typically vigilant about the original schtasks.exe. The rule focuses on several command line parameters associated with schtasks to effectively detect potential misuse despite the renaming of the file. Based on the conditions stipulated, if the command line includes specific scheduling operations, or if the original file name appears but is not executed from its standard location, an alert is triggered. This high-severity rule is part of an ongoing effort to monitor and mitigate risks associated with executing potentially malicious tasks via renamed binaries.