This detection rule is designed to identify the creation of bitmap cache files associated with Remote Desktop Protocol (RDP) sessions on Windows systems. When users employ the built-in Microsoft Terminal Services Client (mstsc.exe) to initiate RDP connections, files such as '.bmc' and 'cache*.bin' are generated and stored in the user profile directory under the Terminal Server Client cache. The presence of these files can be indicative of user activity involving remote access, which could point to lateral movement or unauthorized access attempts. Monitoring this behavior is essential, particularly since attackers might delete or hide these artifacts to avoid detection during forensic investigations. Utilizing Sysmon EventID 11, this detection can track the relevant file creations to enhance security posture against potentially malicious remote access activities.