From 2df291fe0acda1400286daaeebf510a76db03ee0 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Fri, 29 Apr 2022 12:25:38 +0200
Subject: [PATCH] rule: ngrok to remote desktop service

---
 .../win_terminalservices_rdp_ngrok.yml        | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml

diff --git a/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml
new file mode 100644
index 000000000..503cdd434
--- /dev/null
+++ b/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml
@@ -0,0 +1,22 @@
+title: Ngrok Usage with Remote Desktop Service
+id: 64d51a51-32a6-49f0-9f3d-17e34d640272
+description: Detects 
+author: Florian Roth
+status: experimental
+references:
+    - https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg
+date: 2022/04/29
+tags:
+    - attack.command_and_control
+    - attack.t1090
+logsource:
+    product: windows
+    service: terminalservices-localsessionmanager
+detection:
+    selection:
+        EventID: 21
+        Address|contains: '16777216'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high