This detection rule monitors for the invocation of specific Linux utilities commonly associated with tunneling and port forwarding, which are often employed by attackers to bypass security controls, establish covert communications, and facilitate unauthorized access to internal systems. The rule specifically looks for processes like 'gost', 'ssh', 'sshd', 'sshuttle', 'socat', 'chisel', and others, analyzing their command line arguments for signs of tunneling behaviors. Events are gathered from the logs of multiple endpoints, including CrowdStrike and SentinelOne, and are processed through Elastic Search. The rule includes an investigation guide that outlines additional steps for security analysts, such as examining user behavior and anomalous network activity, and suggests potential false positive scenarios. This rule is designed for production environments and integrates with the Elastic Stack, starting from version 8.13.0 due to breaking changes with the SentinelOne integration.