This detection rule aims to identify the unauthorized execution of the Visual Studio Code (VsCode) tunneling utility by monitoring the creation of a file named "code_tunnel.json". This file serves as an indicator of execution and usage of the VsCode tunneling feature by any process or image that is not recognized as originating from VsCode itself. The detection method is established by looking for the specified file's creation while ensuring that the executing image does not match the legitimate file names associated with VsCode. This helps in uncovering potential Command-and-Control (C2) activity or other malicious use of tunneling tools that could be leveraged by an attacker. The rule tags include a reference to command-and-control behavior, emphasizing its role in identifying such threats.