This detection rule identifies potential malicious behavior involving Remote Desktop Protocol (RDP) connections initiated through the Mstsc.exe executable. It specifically looks for instances where Mstsc is executed as a child process from uncommon parent processes typically associated with web browsers (such as Chrome, Firefox, Brave, etc.) or applications that are not standard for initiating RDP connections. Additionally, the rule checks whether the command is being executed using a local '.rdp' file found at suspicious file locations. By focusing on these uncommon parent processes, the rule aims to detect lateral movement or unauthorized access attempts within a network environment. The detection methodology is geared towards improving visibility into potentially rogue RDP sessions that can be leveraged by attackers following a successful exploit or inside the network compromise.