Attackers often use tasks as a means to hide their tracks. They might also use the ability to run tasks with different user rights to gain more access. Earlier, I recommended that you set up auditing to track tasks being set. Now I recommend you harden a setting on your workstations to prevent task scheduling in the first place.
Below are the Microsoft Defender Advanced Threat Protection (ATP) recommended actions:
The “Domain controller: Allow server operators to schedule tasks” setting determines whether scheduled tasks are forced to run under the context of the authenticated account instead of allowing them to run as SYSTEM. Disabling this setting affects only the ability to schedule jobs using the AT command and does not affect tasks set using Task Scheduler.
As noted by blogger Randy Franklin Smith, “Unlike Scheduled Tasks which require you to specify the credential under which the task will run, AT jobs run under the authority of whatever account the AT service runs, which is SYSTEM by default. Non-administrators who can schedule AT commands thus have a means to elevate their privileges. This policy controls whether members of the local Server Operators group can schedule AT jobs. If disabled, only administrators can.”