The detection rule titled "Windows Default Rdp File Deletion" focuses on identifying the deletion of the Default.rdp file, which is linked to Windows Remote Desktop Protocol (RDP) sessions. Normally, this file is automatically created or updated whenever a user engages in an RDP session, containing vital session configuration details such as the remote hostname and display settings. The deletion of this file is considered anomalous as it may indicate an internal threat scenario where an attacker or operator is attempting to remove evidence of their presence to evade detection during a remote access event. Therefore, monitoring such activity—especially following recent RDP usage—is critical for uncovering potential malicious intent and facilitating forensic analysis. The rule uses Sysmon Event IDs 23 and 26 to detect the deletion events and provides a search implementation regarding how to track this behavior effectively. It encourages configurations that allow Sysmon logging to capture necessary details from the endpoints to leverage this detection fully.