This detection rule identifies potential RDP (Remote Desktop Protocol) session hijacking activities on Windows systems by monitoring process creation events. It specifically targets the execution of the 'tscon.exe' process, which is an integral part of the RDP session management on Windows. Session hijacking can occur when a malicious actor takes over an active RDP session by redirecting the session to their client. The rule is built on two main criteria: it checks if the process being executed is 'tscon.exe' and if it is executed at a high integrity level (either 'System' or 'S-1-16-16384'). This combination suggests that there may be an attempt to manipulate RDP sessions. Proper configuration of systems and monitoring for these patterns can help detect unauthorized access or administrative activities mimicking legitimate process behavior.