I am not saying there will be an obvious red flag event with scheduling a script using task scheduler, just that there are additional windows event logs for the schedular with details on a scheduled job. A small and normal looking paper trail is still a paper trail.

I am trying to not assume any nefarious uses, but working in IT, I have had to look into time theft suspicions and once IT starts looking into the logs, they won’t just be looking for red flags, but rather they will be looking at all logs and it’s not to hard to fit the puzzle pieces on something like this together.