This detection rule focuses on identifying an unusual deletion of files from the AutomaticDestinations folder, which is part of the Windows Jump List feature. The Jump List keeps a record of recently accessed files and applications, stored in the directory located at AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations. Each file with a .automaticDestinations-ms extension corresponds to a specific program and contains vital user activity information for forensic investigation. The deletion of these files can indicate it is an anti-forensic tactic employed by adversaries seeking to erase traces of their activity, especially when associated with suspicious logon events or RDP (Remote Desktop Protocol) sessions. Such activity is uncommon in routine user behavior, and its detection could signal malicious attempts to cover tracks following data access or lateral movement. When paired with other alerts, analysts can gain insights into post-compromise techniques of threat actors and reconstruct user activities and attacker behavior effectively.