Potential SSH Tunnel Persistence Install Using A Scheduled Task (2daa93a0-a5fb-41c5-8cd8-3c11294bfd1f)
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.