This detection rule, authored by Elastic, focuses on identifying potential malicious attempts to execute commands via the Windows OpenSSH client. Such actions may indicate efforts to bypass application control through the use of trusted Windows binaries. The rule triggers when processes associated with SSH, such as `ssh.exe` and `sftp.exe`, are executed with command line arguments that suggest suspicious activity (like invoking PowerShell, or commands involving scripts or HTTP). This indicates that the user might be using SSH to conduct operations typically restricted by application control measures, leading to potential security breaches. Analysts are advised to perform comprehensive investigations regarding the user credentials involved, check for associated suspicious activity, validate the legitimacy of the actions taken by users, and ensure that these executions are not part of routine admin tasks. In the event of detection, protocols for incident response include isolating affected hosts, conducting malware scans, and resetting any compromised accounts. The rule's relevance is accentuated by its classification under high severity and a risk score of 73, as it pertains to defense evasion tactics as laid out in the MITRE ATT&CK framework.