This detection rule identifies the use of non-standard tools for initiating outbound Remote Desktop Protocol (RDP) connections on port 3389, which can indicate potential lateral movement within a network. The rule requires an initial baseline to filter out legitimate use of third-party RDP applications, thereby minimizing false positive alerts. The detection logic is based on monitoring network connections with a destination port of 3389 and initiated connections. The rule incorporates multiple filters to ignore common trusted processes, including Microsoft's Remote Desktop Connection (mstsc.exe), as well as popular third-party RDP clients such as mRemoteNG, Remote Desktop Manager, and others. Alerts may be triggered if the connection attempt does not originate from any of the explicitly allowed tools, highlighting a security risk that warrants further investigation. Careful tuning of the rule based on contextual understanding of the network environment is essential for effective threat detection.