This detection rule identifies the execution of the Microsoft Terminal Services Client (MSTSC), which enables connections to Remote Desktop Session Host servers or other remote computers. It observes events related to process execution, network connections, and child processes in enterprise environments. Specifically, the detection rule listens for the terms 'mstsc' or 'mstsc.exe' in process and network activity logs collected from endpoint devices. By querying various endpoint data fields, the rule aggregates relevant information and flags any instances of MSTSC execution, indicating potential lateral movement activities by malicious actors. The rule has been associated with threat actor groups including Vice Society and links to malware families such as Blackcat/ALPHV, Hive, and Lockbit. This rule is designed to facilitate early detection of unauthorized remote access attempts via RDP, a common tactic used in network intrusions and ransomware attacks.