This detection rule identifies the execution of a renamed version of the "cloudflared" binary, which is often associated with unauthorized network tunneling. The rule leverages process creation events on Windows systems and uses a combination of command-line arguments and specific SHA-256 hashes to flag suspicious behavior. The detection logic includes checks for various cloudflared operations, including cleanup and tunneling, ensuring that only relevant executions are flagged while reducing false positives. The rule can enhance security by alerting administrators to potential misuse of cloud services, particularly in attack scenarios involving command and control techniques linked to persistent, stealthy network access through malicious tunnels. Regular monitoring of events generated by this rule can help organizations mitigate risks associated with attacker-controlled network connections that may exploit cloud services.