The 'Windows RDP Server Registry Deletion' detection rule identifies potentially malicious activity involving the deletion of registry keys under the path HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\. These registry keys hold records of previously connected remote systems through the Remote Desktop Protocol (RDP), and their deletion may signify an attempt to obscure remote access activity by attackers. The rule leverages Sysmon EventID 12 and 13 to gather relevant telemetry about registry modifications. It targets instances where registry deletions occur, especially correlating them with RDP usage and other suspicious behaviors, thereby indicating potential defense evasion techniques employed by malicious actors during or after lateral movement. The rule aims to provide insights when legitimate users rarely delete these keys, enhancing the identification of anomalous behaviors associated with RDP sessions.