This detection rule identifies potential tunneling activity by monitoring PowerShell scripts that create TCP socket listeners. The rule is particularly focused on detecting the presence of specific .NET classes, namely `System.Net.HttpWebRequest` and `System.Net.Sockets.TcpListener`, which are commonly used in the development of TCP tunnels. Anomalous usage of these classes can signify that an attacker is trying to establish a covert communication channel, allowing them to redirect command and control (C2) traffic through a legitimate channel. The detection works on Windows systems where Script Block Logging is enabled, allowing security analysts to track and inspect PowerShell script execution for indicators of suspicious behavior. By filtering for scripts containing the aforementioned classes and methods, the rule aims to flag potential malicious activity effectively. This detection helps strengthen the security posture against outside threats attempting to use Windows PowerShell as a means of establishing undisclosed communication channels.