Detection rules › Splunk
Windows Default Rdp File Deletion
This detection identifies the deletion of the Default.rdp file from a user’s Documents folder. This file is automatically created or updated by the Remote Desktop Connection client (mstsc.exe) whenever a user initiates an RDP session. It contains session configuration data, such as the remote hostname and display settings. While the presence of this file is normal during legitimate RDP usage, its deletion may indicate an attempt to conceal evidence of remote access activity. Threat actors and red team operators often remove Default.rdp as part of post-access cleanup to evade forensic detection. Detecting this action—especially when correlated with recent RDP activity—can help identify defense evasion techniques and uncover potentially malicious use of remote desktop connections. Monitoring for this file's deletion adds an important layer of visibility into user behavior and can serve as an early indicator of interactive attacker presence.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1070.004 Indicator Removal: File Deletion |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 23 | FileDelete (File Delete archived) |
| Sysmon | 26 | FileDeleteDetected (File Delete logged) |
Stages and Predicates
Stage 1: search
search EventCode IN ("23", "26") TargetFilename="*\\default.rdp"
Stage 2: stats
stats BY action, dest, dvc, file_path, file_hash, file_name, file_modify_time, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user, user_id, vendor_product
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | in |
|
TargetFilename | eq |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.