This detection rule focuses on identifying unauthorized execution of the remote desktop client process (mstsc.exe) on systems where its usage is atypical. Utilizing telemetry data from Endpoint Detection and Response (EDR) agents, the detection specifically excludes systems commonly known to utilize RDP. The significance of this detection lies in its ability to pinpoint potential lateral movement or unauthorized remote access attempts, which can signify a deeper security compromise. If an instance of mstsc.exe is identified outside the expected environments, it raises a red flag about the possibility of malicious actors attempting to gain remote control over a system, leading to scenarios such as data exfiltration or privilege escalation. The implementation involves monitoring specific Sysmon and Windows Security logs, enabling security teams to react promptly to suspicious activities related to RDP usage.