This detection rule aims to identify the execution of shell commands (such as PowerShell and Bash) via Visual Studio Code tunnels. Attackers can exploit this feature to create a command-and-control (C2) channel, enabling them to run arbitrary commands on a compromised system. The rule monitors process creation events where the parent process is associated with Visual Studio Code's remote tunneling functionality and checks for child processes that are common shell executables. It uses specific patterns in the parent image and command lines to minimize false positives while effectively flagging suspicious activities related to potential C2 operations.