This detection rule is designed to identify the unauthorized execution of Ngrok, a popular tool used for tunneling and port forwarding, which has been widely abused by threat actors to expose local services publicly. The rule observes process creation events within a Windows environment and looks for specific command line invocations related to Ngrok. Key indicators include the presence of TCP commands associated with common remote access ports, as well as recognizable command-line options used in Ngrok operations, such as 'start', '--all', '--config', and '.yml'. The detection framework utilizes multiple selection criteria, triggering an alert if any one criterion is met, indicating suspicious Ngrok usage. False positives may occur with legitimate tools that mimic Ngrok command structures. Overall, this rule is crucial for monitoring and preventing potential misuse of Ngrok in a network security context.