This detection rule identifies suspicious loading of the Remote Desktop Services ActiveX Client, specifically the DLL 'mstscax.dll', which is a potential indicator of lateral movement attempts within a network. Adversaries may load this DLL from unauthorized paths to exploit Remote Desktop Protocol (RDP) capabilities for moving laterally across systems. The rule uses Elastic's Event Query Language (EQL) to search across various endpoint and Windows event logs for instances where the 'mstscax.dll' is loaded outside normal directories, and ensures to filter out legitimate instances to reduce false positives. Key investigation steps include analyzing the context of the loading event, checking the process and user involved, and correlating network activities. The rule applies to Windows environments and is intended for use after ensuring compatibility with Elastic Stack versions.