This detection rule targets the execution of the mstsc.exe command, which is associated with Remote Desktop Protocol (RDP) connections on Windows systems. By monitoring specific command-line parameters, such as /v:<target> for direct sessions and /admin for administrative access, the rule helps flag potentially unauthorized or malicious remote access attempts. Implementing this rule involves ingesting relevant logs from EDR agents and leveraging the Splunk Common Information Model (CIM) for effective data mapping and normalization. Known false positives might occur when legitimate administrator activities are logged, but careful analysis can help mitigate these. The rule is part of a broader strategy to identify lateral movement and misuse within networks by ensuring that any suspicious RDP connection attempts are rapidly detected and investigated.