Detects execution of Yuze, a lightweight open-source tunneling tool used for intranet penetration and pivoting. Yuze supports forward and reverse SOCKS5 proxy tunneling and is typically invoked by loading yuze.dll via rundll32.exe with the RunYuze export (e.g., rundll32 yuze.dll,RunYuze reverse -c <ip>:<port>). This rule flags Windows process-start events where rundll32 loads yuze.dll and RunYuze is called, by inspecting process command-line arguments for indicators such as reverse mode with -c and -s, or forward proxy mode with -l. The detection aggregates telemetry from multiple endpoints and EDR sources to identify potential protocol tunneling used for C2 or traffic pivot. It maps to MITRE ATT&CK T1572 (Protocol Tunneling) under the Command and Control tactic. The rule is designed to trigger when Yuze is loaded from a non-signed or unsigned context, aiding rapid investigation and containment across telemetry sources.