Post-Exploitation Persistence via Scheduled Task and Firewall LOLBins

Detects the combined use of LOTL binaries to establish post-exploitation persistence, including schtasks, sc, reg, and netsh for creating scheduled tasks, modifying services, editing the registry, and altering firewall rules — a pattern observed after network device exploitation such as FortiGate where attackers pivot to LOTL to maintain access