diff --git a/rules/windows/builtin/win_not_allowed_rdp_access.yml b/rules/windows/builtin/win_not_allowed_rdp_access.yml
new file mode 100644
index 00000000..da63b4b5
--- /dev/null
+++ b/rules/windows/builtin/win_not_allowed_rdp_access.yml
@@ -0,0 +1,26 @@
+title: Denied Access To Remote Desktop
+id: 8e5c03fa-b7f0-11ea-b242-07e0576828d9
+description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
+    Often, this event can be generated by attackers when searching for available windows servers in the network.
+status: experimental
+tags:
+    - attack.lateral_movement
+    - attack.t1076
+references:
+    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
+author: Pushkarev Dmitry
+date: 2020/06/27
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4825
+    condition: selection
+fields:
+    - EventCode
+    - AccountName
+    - ClientAddress
+falsepositives:
+    - Valid user was not added to RDP group
+level: medium