This detection rule is designed to identify potential Remote Desktop Protocol (RDP) tunneling over Secure Shell (SSH) by analyzing process execution data on Windows endpoints. RDP is typically blocked by network appliances, but attackers may bypass these restrictions by establishing a reverse SSH tunnel. This rule leverages command line arguments involving the default RDP port (3389) and common SSH tunneling options. The rule captures events where the command line arguments indicate an attempt to tunnel RDP traffic, allowing for the detection of covert actions by malicious actors.