Code execution, privilege escalation, lateral movement and persitence.
Creating a new scheduled task that will launch shell.cmd every minute:
Note that processes spawned as scheduled tasks have
taskeng.exeprocess as their parent:
Monitoring and inspecting commandline arguments and established network connections by processes can help uncover suspicious activity:
Also, look for events 4698 indicating new scheduled task creation:
Note that when using schtasks for lateral movement, the processes spawned do not have taskeng.exe as their parent, rather - svchost: