Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Sigma rule (View on GitHub)
1title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
2id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
3status: experimental
4description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
5references:
6 - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
7 - https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
8author: Rory Duncan
9date: 2025-07-14
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.execution
14 - attack.t1053.005
15 - attack.command-and-control
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith: '\schtasks.exe'
22 - OriginalFileName: 'schtasks.exe'
23 selection_cli_sshd:
24 CommandLine|contains|all:
25 - ' /create '
26 - 'sshd.exe'
27 - '-f'
28 selection_cli_ssh:
29 CommandLine|contains|all:
30 - ' /create '
31 - 'ssh.exe'
32 - '-i'
33 condition: selection_img and 1 of selection_cli_*
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- ChromeLoader Malware Execution
- Defrag Deactivation
- Kapeka Backdoor Persistence Activity
- Persistence and Execution at Scale via GPO Scheduled Task
- Potential ACTINIUM Persistence Activity