Anomaly detection for execution of PuTTY suite utilities (putty.exe, pscp.exe, plink.exe, psftp.exe, puttygen.exe) on Windows endpoints. PuTTY tools enable SSH sessions, file transfers, and remote command execution; when started in unusual contexts or by non-privileged users, they may indicate unauthorized remote access, lateral movement, or data exfiltration. This rule uses telemetry from Sysmon Process creation (EventID 1), Windows Security log 4688 process creation events, and CrowdStrike ProcessRollup2 to identify PuTTY binary or original_file_name launches. It maps results to the Endpoint CIM data model for cross-sensor correlation and supports drilldowns by process, parent process, user, and destination. Recommended tuning includes whitelisting approved administrative usage to reduce false positives and correlating with authentication and network activity.