This detection rule identifies suspicious executions of the Microsoft Terminal Services Client (Mstsc.exe) when it attempts to connect to remote desktop sessions using local RDP (Remote Desktop Protocol) files. These .rdp files are often used in RDP connections but when located in unusual directories, they may indicate unauthorized access attempts or lateral movement within the network by an attacker. The rule focuses on monitoring process creation events related to Mstsc.exe specifically looking for command line arguments that include paths to local .rdp files found in suspicious directories such as the public user directory, temp folders, and other locations that are not typical for legitimate RDP file usage. The selection criteria for the detection ensure that only potentially malicious executions are flagged while minimizing false positives related to common user behavior.