This detection rule is focused on identifying potential tunneling or port forwarding activities on Linux systems using command line utilities. Attackers often utilize tools capable of establishing covert communication channels to evade detection mechanisms and maintain persistent access to compromised machines. The rule leverages a query to detect processes on Linux that match patterns indicative of networking commands aiming to connect to external IP addresses and ports. It giudes users to analyze suspicious processes related to network communication, review user actions and logged-in statuses, and carry out comprehensive investigations into any anomalous system behaviors. By employing various utilities and stepwise investigation methods, security analysts can effectively mitigate risks associated with protocol tunneling and unauthorized access.