This detection rule identifies the creation of tunneling processes on endpoints, which are often used by adversaries to establish covert communication channels to evade detection and network filtering. Common tools associated with this activity include Iodine, DNSCat, and Plink. The pattern detection in this rule leverages Sysmon event data by filtering and applying regular expressions to identify characteristics of tunneling processes. The rule highlights multiple attack groups known to employ these tactics, such as Agrius, Lazarus, and others. The rule captures a range of potential indicators — including specific IP address formats, domain name patterns, and custom protocol indicators — allowing security teams to detect possible command-and-control communications that use tunneling. This makes it a critical component in enhancing endpoint visibility and threat detection capabilities amidst ever-evolving tactics employed by threat actors.