This rule is designed to detect the execution of IOX, a tunneling tool commonly used for port forwarding and acting as an intranet proxy. The detection focuses on monitoring process creation events on Windows systems and utilizes multiple criteria to identify potential malicious activity. Specifically, the rule checks for the invocation of the IOX executable ('iox.exe') and monitors the command-line arguments associated with its execution, looking for parameters that facilitate tunneling operations (like 'fwd' and 'proxy'). Additionally, it incorporates a list of known hashes for the IOX executable to enhance detection accuracy. A key aspect of this rule is its potential for false positives, as legitimate use cases of the tool may occur, necessitating careful review of detected instances.