This detection rule identifies potential abuse of ngrok, a reverse proxy tool, utilized by threat actors to establish outbound proxies for tunneling into compromised networks via Remote Desktop Protocol (RDP) sessions. Attackers may exploit ngrok to bypass network defenses and facilitate lateral movement. The rule specifically searches for artifacts, notably Windows Event ID 4779, which logs RDP connection establishment events. If an RDP session is initiated using ngrok, it would generate logs corresponding to this event code, alerting security teams to the possible presence of an unauthorized tunnel. This detection is especially relevant given the threat actor association with Scattered Spider, also known for their sophisticated tactics using tools like ngrok.