This detection rule targets renamed executions of the Visual Studio Code (VS Code) tunnel functionality, a potential vector for Command-and-Control (C2) communication by threat actors. It particularly looks for processes that execute with command lines ending in '.exe tunnel' or that include common tunnel-related arguments such as '--name ' and '--accept-server-license-terms'. The rule also identifies instances where specific parent processes launch the tunnel execution, especially focusing on where the original VS Code executables might be renamed (like 'code-tunnel.exe' or 'code.exe'). By assessing these specific command line arguments and parent processes, the detection attempts to differentiate between legitimate use cases and potentially malicious activities that exploit this tunneling feature to create unauthorized channels for remote control. The rule has been flagged with a high severity level due to the risk posed by such interactions, as they may facilitate unauthorized remote access to targeted environments.