From dc017f694a0d67f7869f2097e27f7d628f2f31eb Mon Sep 17 00:00:00 2001
From: Rory <roryduncan94@gmail.com>
Date: Mon, 14 Jul 2025 10:14:40 +0100
Subject: [PATCH] Merge PR #5146 from @resp404nse - Potential SSH Tunnel
 Persistence Install Using A Scheduled Task

new: Potential SSH Tunnel Persistence Install Using A Scheduled Task
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...eation_win_schtasks_openssh_tunnelling.yml | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml

diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml b/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml
new file mode 100644
index 000000000..3821b2c60
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_schtasks_openssh_tunnelling.yml
@@ -0,0 +1,35 @@
+title: Potential SSH Tunnel Persistence Install Using A Scheduled Task
+id: 2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f
+status: experimental
+description: Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
+references:
+    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
+    - https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection
+author: Rory Duncan
+date: 2025-07-14
+tags:
+    - attack.persistence
+    - attack.execution
+    - attack.t1053.005
+    - attack.command-and-control
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '\schtasks.exe'
+        - OriginalFileName: 'schtasks.exe'
+    selection_cli_sshd:
+        CommandLine|contains|all:
+            - ' /create '
+            - 'sshd.exe'
+            - '-f'
+    selection_cli_ssh:
+        CommandLine|contains|all:
+            - ' /create '
+            - 'ssh.exe'
+            - '-i'
+    condition: selection_img and 1 of selection_cli_*
+falsepositives:
+    - Unknown
+level: high