This detection rule targets the usage of the 'netsh.exe' tool in Windows operating systems to create a port forwarding configuration allowing external access to the Remote Desktop Protocol (RDP) on port 3389. The rule identifies instances where 'netsh' is executed with command-line arguments that include 'i', 'p', '=3389', and 'c', indicating an intent to set up port forwarding for RDP services. This can be an indication of lateral movement or a potential security risk, as attackers might exploit this mechanism to bypass network restrictions and access systems remotely. The detection logic checks for instances where 'netsh.exe' is invoked directly or through its original filename, thus capturing both straightforward and obfuscated command invocations. The rule is particularly focused on process creation events, and while useful for security monitoring, administrators should also consider the legitimate uses of this command, which could lead to false positives.