This detection rule identifies instances of Remote Desktop Protocol (RDP) being tunneled over a reverse SSH connection, which can be indicative of a command-and-control (C2) or lateral movement tactic employed by attackers. The rule focuses on the presence of 'svchost.exe' that serves the RDP service (termsvcs) and checks for communications originating from this process to localhost IP addresses (loopback address) on TCP port 3389. This behavior suggests that RDP sessions are being established through an unauthorized reverse tunnel, which is a common technique used in advanced persistent threats (APTs) to maintain access to compromised systems while avoiding detection by using trusted services and protocols. Given the highly sensitive nature of RDP access, this rule is set with a high level of priority to ensure immediate attention from security personnel.