This detection rule identifies attempts to hijack legitimate RDP (Remote Desktop Protocol) sessions by monitoring for unauthorized file placements in the startup folder of the RDP source machine. Specifically, it looks for instances where the Microsoft Terminal Services Client (mstsc.exe) is used to write files to a directory associated with the startup programs of the Windows operating system. The malicious actor can exploit this ability to execute arbitrary code upon user login. The rule is categorized under high severity due to the potential for lateral movement within a network, allowing attackers to maintain persistence by utilizing backdoors placed in startup locations. The rule is especially relevant in environments where RDP is heavily used for remote access, hence emphasizing the need for vigilance against such lateral movement tactics.