This detection rule identifies unauthorized process executions originating from Remote Desktop Protocol (RDP) shares on Windows endpoints. RDP shares enable file transfers between a user's local machine and an active remote desktop session, but they can also be misused by threat actors to execute malicious processes or transfer harmful files. The rule detects processes executed from paths associated with RDP shares, particularly those starting with 'tsclient'. The intent is to flag potential unauthorized access or malicious actions, prompting security teams to investigate process executions appearing from RDP shares, especially on systems not intended to use them or involving suspicious process activity. Implementation requires logs related to process actions to be ingested from Endpoint Detection and Response (EDR) agents, facilitating thorough monitoring of endpoint activities and enhancing overall security posture against possible exploits using RDP share weaknesses.