This detection rule monitors the creation and modification of the Default.rdp file within a user's Documents folder, typically managed by the Remote Desktop Connection ('mstsc.exe'). This file contains user configurations and history for RDP sessions, thus its presence or updates indicate that an RDP session was initiated. Because Default.rdp files are frequently overlooked, tracking their changes can be instrumental in identifying unauthorized remote access activities or malicious lateral movements within a network. The detection is executed by monitoring Sysmon EventID 11 related to file system activities.