This detection rule identifies instances where the Remote Desktop Protocol (RDP) service is being utilized over a reverse SSH tunnel. It specifically monitors for incidents where the process 'svchost' is hosting the RDP service (termsvcs) and communicates with loopback addresses, which can indicate the establishment of unauthorized remote administrative access. The rule is constructed based on Event ID 5156 from Windows security logs, targeting connections initiated from or directed to local loopback addresses (127.x.x.x or ::1) through the RDP standard port (3389). Additionally, it applies filters to prevent alerts for specific known benign applications, such as 'thor.exe', known for its legitimate usage, thus reducing false positives.