This detection rule monitors for abnormal activity concerning the manipulation of the Default.rdp file, which is created automatically within a user’s Documents folder during an RDP session initiated with mstsc.exe. Specifically, it looks for instances where the Windows built-in attrib.exe command is used to remove the hidden (-h) or system (-s) attributes from this file. Such behavior is atypical for standard user actions and may signify that an attacker, potentially during a reconnaissance phase or an anti-forensics effort, is attempting to access or manipulate RDP connection history which is generally kept hidden. The detection leverages data collected via Sysmon EventID 1 to catch these anomalies by analyzing the pertinent process executions. By tracking this activity, security teams can uncover potential malicious attempts to evasion as they relate to user artifacts, thereby enabling the identification of interactive malicious actor activities on a possible compromised endpoint.