This detection rule identifies programs on Windows systems that attempt to connect to uncommon destination ports, specifically TCP ports 8080 and 8888. It serves as an indicator of potential persistence mechanisms in malware or indicators of command-and-control behavior. The rule activates only if the network connection is initiated and the destination port corresponds to the specified values. To enhance detection accuracy, the rule includes filters to exclude local and reserved IP addresses from the analysis, as well as common system directories where legitimate applications might reside. The rule aims to ensure that alerts focus on potentially malicious actions rather than benign activity.