This rule detects the execution of the EarthWorm tunneler, which adversaries may use to tunnel network communications covertly and bypass security measures. The rule looks for command line arguments associated with EarthWorm, specifically for the flags '-s', '-d', and the term 'rssocks', indicating that a user may be initiating a tunneling session. By monitoring processes that match this pattern, the rule serves as an early warning for potential malicious activities. The investigation guide associated with the rule outlines steps for analyzing suspicious network activity, identifying user actions, and assessing system integrity in response to potential threats. False positive scenarios are addressed, emphasizing the context of the actions taken, while providing remediation steps for identified threats.