This detection rule identifies unauthorized RDP (Remote Desktop Protocol) connections that are tunneled through HTTP (Hypertext Transfer Protocol) or HTTPS (HTTP Secure) ports, specifically targeting TCP ports 80 and 443. The rule focuses on instances where the 'svchost.exe' process, which is responsible for hosting various Windows services, establishes a connection to external systems using these ports. This behavior may indicate an attempt to bypass network restrictions or to establish a remote control connection stealthily. The detection is triggered when the RDP service (listening on port 3389) initiates connections through these common web ports, potentially signaling malicious lateral movement or command-and-control tactics employed by attackers. The rule is meant to help security teams identify and respond to such suspicious activities, especially in environments where RDP can create significant risks if misused.