This rule aims to detect the potential installation of persistence mechanisms via SSH tunneling using the 'schtasks' command on Windows systems. Specifically, it identifies new scheduled tasks created through the command-line tool Schtasks.exe that invoke either 'sshd.exe' or 'ssh.exe'. The presence of such tasks could indicate an adversary's effort to establish a reverse SSH tunnel, allowing them to maintain access to the compromised system beyond initial intrusion. By monitoring the image execution and command line parameters associated with 'schtasks', this rule ensures visibility into potentially malicious persistence strategies that utilize SSH protocols to communicate with an attacker's server.