This detection rule is designed to monitor and identify potentially malicious activity involving ngrok.exe on Windows endpoints. Ngrok is a widely used reverse proxy tool that allows secure tunnel creation for servers behind NATs, often exploited by threat actors for lateral movement and data exfiltration. This rule leverages event logs (specifically EventCode 4688) to detect process creation events associated with ngrok or variations of its command-line usage that may indicate malicious intent. It specifically checks for certain TCP connections and command parameters that are characteristic of ngrok's functionality. The detection process is initiated by capturing relevant endpoint event data and analyzing it for patterns typical of threat actor behavior associated with ngrok usage, particularly focusing on known threat actor groups such as Scattered Spider.