This detection rule identifies potential lateral movement via the Remote Desktop Protocol (RDP) shared mountpoint 'tsclient' on Windows hosts. Such activity may indicate malicious attempts to execute processes from shared client drive mappings during RDP sessions. The rule is set to trigger on process execution events originating from paths that match the pattern '\\Device\\Mup\\tsclient\\*.exe'. The rule utilizes EQL (Event Query Language) to search within a range of indices that capture Windows endpoint and security events, ensuring that the relevant data sources are thoroughly monitored. When triggered, its associated risk score of 73 signifies a high severity event that requires immediate investigation.