This detection rule identifies potentially malicious behavior by monitoring the use of the 'tscon.exe' utility in Windows. The utility is commonly exploited in RDP (Remote Desktop Protocol) session hijacking attacks, a technique that allows an attacker to take control of an existing RDP session. The detection specifically looks for command line invocations of 'tscon.exe' that include the '/dest:rdp-tcp#' parameter, which indicates an attempt to redirect a session to an RDP destination, a typical signature of RDP hijacking. The rule is classified under high severity due to the risk associated with unauthorized access to remote sessions. It provides a critical layer of security monitoring for environments where RDP is heavily utilized, especially in enterprise settings where lateral movement by attackers is a concern. Overall, the rule aims to enhance the visibility into and security of RDP usage, enabling rapid response to potential session hijacking attempts.