This detection rule identifies potential instances of Remote Desktop Protocol (RDP) connections initiated via the Microsoft Terminal Services Client (mstsc.exe) using a local '.rdp' file. The rule inspects process creation logs from Windows systems, specifically analyzing the execution of mstsc.exe and its associated command-line arguments that suggest an RDP connection attempt. It utilizes both image path matching and command-line filtering to differentiate between legitimate uses of mstsc and suspicious activity potentially indicative of unauthorized access attempts. The logic checks for process execution originating from the correct executable while ensuring it is not being invoked through expected command-line parameters that may indicate benign usage, such as those handled by Windows Subsystem for Linux (WSL). The rule acknowledges the possibility of false positives, especially in environments where '.rdp' files are commonly used for remote access, but treats these events with a low alert level due to their potential connection to malicious activity.