This detection rule is focused on identifying the creation of registry entries related to Remote Desktop Protocol (RDP) connections on Windows systems. Specifically, it monitors the registry path HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\, where entries are created when users connect to remote hosts via the native Windows RDP client (mstsc.exe). These entries contain critical information about past RDP sessions such as hostnames, usernames, and configuration settings. While this behavior is typical in a legitimate usage context, the creation of these registry keys can signify outbound RDP connections, which may be exploited by malicious actors for lateral movement or command-and-control operations within a compromised environment. Therefore, tracking the addition of these keys is essential for detecting unauthorized RDP usage, especially when paired with anomaly detection regarding user behaviors and network activity.