This detection rule identifies the execution of the "RDPWInst.exe" tool, typically employed for enabling Remote Desktop Protocol (RDP) host support and supporting multiple concurrent RDP sessions. The tool can be exploited by threat actors for unauthorized remote desktop access, potentially aiding in lateral movements and data breaches within a network. This rule utilizes data gathered from various Endpoint Detection and Response (EDR) sources, including Sysmon EventID 1 and Windows Event Log Security 4688, to track processes and filter out specific command-line arguments associated with this tool. By monitoring process activities alongside user and destination data, security teams can effectively detect and respond to potentially malicious use of RDPWInst.exe and mitigate risks associated with unauthorized remote access and data exfiltration.