This detection rule aims to recognize attempts by adversaries to use Visual Studio Code (VS Code) tunnel execution for establishing command and control (C2) channels. By utilizing application layer protocols that resemble legitimate web traffic, malicious actors can effectively obfuscate their communications to evade detection measures. The rule focuses on monitoring specific command executions related to VS Code tunnels, even in scenarios where the executable might be renamed to circumvent standard security protocols. It captures various command line arguments like '--name' and '--accept-server-license-terms', which are often present in such exploit attempts. Comprehensive checks are in place to identify these executions accurately and log relevant process information for analysis.