diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml
new file mode 100644
index 000000000..4c8d87a49
--- /dev/null
+++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: set TCP connection state
+    namespace: host-interaction/network/connectivity
+    authors:
+      - "@johnk3r"
+    description: The SetTcpEntry function sets the state of a TCP connection.
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses [T1562]
+    references:
+      - https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website
+      - https://github.com/magisterquis/EDRSniper/blob/master/edrsniper.c
+    examples:
+      - 883bf161937f8dc6e766b07000110254:0x403150
+  features:
+    - and:
+      - api: iphlpapi.SetTcpEntry
+      - number: 12 = MIB_TCP_STATE_DELETE_TCB