This detection rule identifies potentially unauthorized connections to internal non-public IP addresses via Telnet, a protocol traditionally used for remote communication with devices. The rule monitors network connections initiated by the Telnet process, filtering out only those targeting private IP ranges, which could indicate lateral movement by threat actors attempting to exploit Telnet's capabilities in a targeted network. Given the shift towards more secure protocols like SSH, the use of Telnet is evaluated here for suspiciousness. False positive triggers are discussed, including benign Telnet traffic or automated scripts, suggesting the necessity for thorough review, contextual evaluation, and possible exclusions for legitimate users. Appropriate investigation steps and a robust response strategy form a critical part of handling alerts generated by this rule, aiming to shore up network defenses against unauthorized access attempts, while emphasizing the importance of incident isolation and credential management post-incident.