This rule identifies potential Remote Desktop Protocol (RDP) tunneling via SSH, specifically when the SSH client (ssh.exe) is executed with the intention of connecting to an RDP service. The rule focuses on detection based on process creation events in Windows systems, concerning the execution of ssh.exe where the command line arguments include indications of RDP port (":3389"). This methodology is often used by attackers to create unauthorized access tunnels for Remote Desktop services, which can enable data exfiltration or unauthorized system access. This heightened risk is categorized with a high severity level, suggesting that any detected instances warrant immediate investigation to ascertain malicious intent. The rule is particularly sensitive to the specified command line pattern, as it signifies a potential manipulation of normal SSH behavior to facilitate RDP access. False positives are currently marked as unknown, indicating that the detection mechanism may see legitimate use cases of ssh.exe. The rule is applicable to Windows environments and leverages process creation logs as its primary data source for detection, enhancing its efficacy in monitoring and alerting suspicious cloud activities within network traffic.