Skip to content

Hide Navigation Hide TOC

Potential SSH Tunnel Persistence Install Using A Scheduled Task (2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f)

Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential SSH Tunnel Persistence Install Using A Scheduled Task (2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f) Sigma-Rules Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2