This detection rule identifies the execution of Fast Reverse Proxy (FRP), a tool used to expose local servers behind NATs or firewalls to the Internet. The rule focuses on detecting specific indicators of FRP usage by monitoring process creation events on Windows systems. It matches the execution of the FRP client and server executables (frpc.exe and frps.exe) and looks for the presence of a configuration file (frpc.ini) in the command line parameters. Furthermore, it enhances detection by verifying file hashes of known malicious versions of these executables. The rule is marked as high severity due to the potential for FRP to be exploited for command-and-control activities in malicious contexts, particularly in environments where such tools are unauthorized or used for evading network security measures.