diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml
index ea9d2f012..0c2b8efb5 100644
--- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml
+++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml
@@ -7,7 +7,7 @@ references:
     - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
 author: Samir Bousseaden
 date: 2019/02/16
-modified: 2021/07/06
+modified: 2022/06/29
 tags:
     - attack.defense_evasion
     - attack.command_and_control
@@ -32,8 +32,11 @@ detection:
         SourceAddress:
             - '127.*'
             - '::1'
-    condition: selection and ( sourceRDP or destinationRDP )
+    filter_thor:  # checking BlueKeep vulnerability
+        Application|endswith:
+            - '\thor.exe'
+            - '\thor64.exe'
+    condition: selection and ( sourceRDP or destinationRDP ) and not 1 of filter*
 falsepositives:
     - Programs that connect locally to the RDP port
-    - THOR APT scanner (checking BlueKeep vulnerability)
 level: high