Potential SSH Tunnel Persistence Install Using A Scheduled Task

Rule Info

Name
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Author
Rory Duncan
Description
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Reference
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
Date
2025-07-14 00:00:00
Modified
None
Id
2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
Tags
attack.persistence attack.execution attack.t1053.005 attack.command-and-control
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f

Rule History

Author
Title
Date
Commit
Rory
Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task
2025-07-14
dc017f694
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022