This detection rule is designed to identify when Remote Desktop Protocol (RDP) bitmap cache files, specifically with .bmc and .bin extensions, are deleted from the Terminal Server Client\Cache directory within user profiles on Windows systems. These files are typically created by the Windows Remote Desktop Client (mstsc.exe) to cache graphic elements from remote sessions, thereby enhancing performance during remote desktop interactions. The deletion of these forensic artifacts is considered unusual in standard user behavior and may signify potential malicious activity, often associated with defense evasion tactics employed by attackers or red team operations to obscure interactive remote access traces. This rule is particularly relevant when file deletions are observed concurrently with recent logon activities or the initiation of RDP sessions, making it a critical aspect of monitoring for investigative purposes. Detection relies on Sysmon Event IDs 23 (File Create) and 26 (File Deleted). By logging this file deletion activity, security teams can gain insights into anti-forensic measures used following lateral movement or hands-on-keyboard tactics, thereby strengthening incident response procedures.