Potential SSH Tunnel Persistence Install Using A Scheduled Task

calendar Jul 14, 2025 · attack.persistence attack.execution attack.t1053.005 attack.command-and-control  ·
Share on: linkedin copy

Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.

Sigma rule (View on GitHub)

 1title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
 2id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
 3status: experimental
 4description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
 5references:
 6    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
 7    - https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
 8author: Rory Duncan
 9date: 2025-07-14
10tags:
11    - attack.persistence
12    - attack.execution
13    - attack.t1053.005
14    - attack.command-and-control
15logsource:
16    product: windows
17    category: process_creation
18detection:
19    selection_img:
20        - Image|endswith: '\schtasks.exe'
21        - OriginalFileName: 'schtasks.exe'
22    selection_cli_sshd:
23        CommandLine|contains|all:
24            - ' /create '
25            - 'sshd.exe'
26            - '-f'
27    selection_cli_ssh:
28        CommandLine|contains|all:
29            - ' /create '
30            - 'ssh.exe'
31            - '-i'
32    condition: selection_img and 1 of selection_cli_*
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top