This detection rule employs a machine learning model to identify anomalies in the number of process arguments utilized in Remote Desktop Protocol (RDP) sessions. An unusually high number of arguments may suggest complex command executions used by attackers for lateral movement, which often involves obfuscation techniques and redirection. The rule requires integration with Elastic's Lateral Movement Detection and Elastic Defend to gather necessary data from Windows RDP process events. Investigations prompted by this rule can lead to identifying potential unauthorized access or sophisticated attacks. This rule highlights the importance of monitoring RDP usage, as attackers frequently exploit this avenue to conduct lateral movements across networks. Effective detection and swift response can mitigate risks associated with these types of attacks.