Samirbous/ES|QL Scheduled Tasks based64 decoded actions

## ES|QL Scheduled Tasks based64 decoded actions
// hunting on scheduled task via registry.data.bytes
from logs-endpoint.events.registry-*
| where host.os.type == "windows" and event.category == "registry" and event.action == "modification" and
  registry.path like """HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\*Actions*"""
| eval scheduled_task_action = replace(TO_LOWER(FROM_BASE64(registry.data.bytes)), """\u0000""", "")
| eval scheduled_task_action = replace(scheduled_task_action, """(\u0003\fauthorfff|\u0003\fauthorff\u000e)""", "")
| where scheduled_task_action rlike """.*(users\\public\\|\\appdata\\roaming|programdata|powershell|rundll32|regsvr32|mshta.exe|cscript.exe|wscript.exe|cmd.exe|forfiles|msiexec).*""" and not scheduled_task_action like "localsystem*"
| keep scheduled_task_action, registry.path, agent.id
| stats count_agents = count_distinct(agent.id) by scheduled_task_action | where count_agents == 1
	// hunting on scheduled task via registry.data.bytes
	from logs-endpoint.events.registry-*
	\| where host.os.type == "windows" and event.category == "registry" and event.action == "modification" and
	registry.path like """HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\Actions"""
	\| eval scheduled_task_action = replace(TO_LOWER(FROM_BASE64(registry.data.bytes)), """\u0000""", "")
	\| eval scheduled_task_action = replace(scheduled_task_action, """(\u0003\fauthorfff\|\u0003\fauthorff\u000e)""", "")
	\| where scheduled_task_action rlike """.(users\\public\\\|\\appdata\\roaming\|programdata\|powershell\|rundll32\|regsvr32\|mshta.exe\|cscript.exe\|wscript.exe\|cmd.exe\|forfiles\|msiexec).""" and not scheduled_task_action like "localsystem*"
	\| keep scheduled_task_action, registry.path, agent.id
	\| stats count_agents = count_distinct(agent.id) by scheduled_task_action \| where count_agents == 1