This rule is designed to detect potentially malicious SSH connections that utilize non-standard ports, such as 2200 or 2222, instead of the conventional port 22. Adversaries might choose non-standard ports to evade detection mechanisms and obscure network traffic analysis. The detection method employs a sequence-based query that monitors processes initiated by SSH or SSHD, filtering out benign processes while tracking any attempted network connections made on these atypical ports. The rule prioritizes vigilant detection of unusual activity that could signify a command and control (C2) attempt.