Merge PR #5146 from @resp404nse - Potential SSH Tunnel Persistence Install Using A Scheduled Task

new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml

@@ -0,0 +1,35 @@
+title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
+id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
+status: experimental
+description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
+references:
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
+author: Rory Duncan
+date: 2025-07-14
+tags:
+    - attack.persistence
+    - attack.execution
+    - attack.t1053.005
+    - attack.command-and-control
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli_sshd:
+        CommandLine|contains|all:
+            - ' /create '
+            - 'sshd.exe'
+            - '-f'
+    selection_cli_ssh:
+        CommandLine|contains|all:
+            - ' /create '
+            - 'ssh.exe'
+            - '-i'
+    condition: selection_img and 1 of selection_cli_*
+falsepositives:
+    - Unknown
+level: high