This detection rule aims to identify potential Remote Desktop Protocol (RDP) session hijacking cases through the use of MSTSC (Microsoft Terminal Services Client) shadowing. RDP session hijacking is a technique employed by attackers to take over active remote desktop sessions, potentially gaining unauthorized access to sensitive information or user actions. The rule is designed to alert when the command line of a process includes specific keywords indicative of shadowing activity, specifically looking for 'noconsentprompt' which bypasses user consent prompts and 'shadow:' which indicates the intent to shadow an existing session. This detection is crucial as it highlights a potential lateral movement tactic often used during post-exploitation phases. Reference links are provided for further reading on this technique, reinforcing the need for proactive monitoring in environments where RDP is utilized, particularly in enterprise settings.