This detection rule is focused on identifying the execution of Cloudflare's Quick Tunnel, a feature that allows users to securely tunnel local services such as HTTP, RDP, SSH, and SMB through ad-hoc tunnels. The rule aims to detect anomalous use of this capability, particularly in the context of malicious activities, as threat groups like the Akira ransomware have been known to utilize the Quick Tunnel feature to exfiltrate data or establish command-and-control communications. The detection is triggered when specific instances of the Cloudflared executable are run, particularly when they are invoked with command-line parameters indicating the initiation of a tunnel. Hashes of known Cloudflared binaries are included for accuracy, allowing the rule to discern between legitimate and potentially harmful executions. Furthermore, it aims to mitigate false positives associated with legitimate usage by considering various command line arguments that may indicate malicious intent.