This detection rule is designed to identify potential Remote Desktop Protocol (RDP) hijacking attempts on Windows systems. It specifically looks for instances where a Windows service is created using the 'sc.exe' command, with a binary path that includes 'tscon.exe'. This behavior is indicative of an attacker attempting to hijack a disconnected RDP session, allowing unauthorized access to an existing user session. The rule leverages data from Sysmon and Windows Event Logs, particularly focusing on event IDs that denote process creation. If a malicious attempt is confirmed, the attacker could potentially exploit the disconnected session to access sensitive data or further compromise the system. Organizations are encouraged to implement this rule to enhance their security posture against unauthorized RDP access by monitoring process creation activities related to vulnerable RDP sessions.