The detection rule monitors for instances where the `ssh.exe` binary, a legitimate SSH client present in Windows systems, is executed. Although this tool is designed for secure shell access to remote servers, it can be misused by attackers for various malicious activities, including covert communications, remote command execution, and tunneling. This behavior aligns with tactics used in Living Off The Land (LOTL) attacks. The association with known threat actor APT28 highlights the importance of monitoring such processes, as they are often leveraged by sophisticated adversaries to evade detection while maintaining persistence in a target environment. The logic utilizes Splunk commands to filter endpoint data, looking for instances of `ssh.exe` execution and compiling metrics that display the process's details, including time of execution, user, and host information.