The RDP Hijacking detection rule is designed to identify unauthorized access and potential lateral movement within an environment through the exploitation of Remote Desktop Protocol (RDP) sessions. RDP is commonly used for remote access to Windows systems; however, adversaries may hijack legitimate remote sessions to gain unauthorized access and escalate privileges. This rule utilizes specific Windows event codes related to RDP sessions (EventCode 4778 and 4779) alongside process monitoring for known RDP-related processes (e.g., rdpclip.exe and tstheme.exe). The detection logic involves querying for event logs indicating RDP session reconnections or process creation associated with RDP, aggregating the results by user and host. If multiple users are detected in a session within a 5-minute window, this indicates possible hijacking attempts. In addition, the rule incorporates geographical lookup for source IP addresses to provide contextual information about the origin of the session. The intended audience includes security analysts focused on detecting and responding to lateral movement threats associated with RDP hijacking incidents.