diff --git a/TTPs/mongodb.py b/TTPs/mongodb.py
deleted file mode 100644
index 79080b8..0000000
--- a/TTPs/mongodb.py
+++ /dev/null
@@ -1,53 +0,0 @@
-from Modules.Imports.protocol_imports import *
-
-def mongodb_submenu(target_ip, open_ports):
-    actions = {
-        "1": {"description": "Check for Open MongoDB Instances", "function": check_open_instances},
-        "2": {"description": "List Databases", "function": list_databases},
-        "3": {"description": "Dump Collections", "function": dump_collections},
-        "4": {"description": "Check for Authentication Bypass", "function": check_authentication_bypass},
-        "5": {"description": "Test for MongoDB RCE Exploit", "function": test_rce_exploit},
-    }
-    build_submenu("MongoDB Enumeration", target_ip, actions, open_ports)
-
-def check_open_instances(target_ip, open_ports):
-    title = "Check for Open MongoDB Instances"
-    content = f"nmap -p 27017 --script mongodb-info {target_ip}"
-    run_command(title, content, target_ip, open_ports)
-
-def list_databases(target_ip, open_ports):
-    title = "List MongoDB Databases"
-    content = (
-        f"Use `mongo` CLI:\n\n"
-        f"1. Connect: mongo {target_ip}:27017\n"
-        f"2. Run: show dbs"
-    )
-    run_command(title, content, target_ip, open_ports)
-
-def dump_collections(target_ip, open_ports):
-    title = "Dump Collections from MongoDB"
-    content = (
-        f"Use `mongoexport`:\n\n"
-        f"mongoexport --host {target_ip} --db <database_name> --collection <collection_name> --out <output_file.json>"
-    )
-    run_command(title, content, target_ip, open_ports)
-
-def check_authentication_bypass(target_ip, open_ports):
-    title = "Check for Authentication Bypass"
-    content = (
-        f"Attempt to access the database without credentials:\n\n"
-        f"mongo {target_ip}:27017 --eval \"db.stats()\""
-    )
-    run_command(title, content, target_ip, open_ports)
-
-def test_rce_exploit(target_ip, open_ports):
-    title = "Test for MongoDB RCE Exploit"
-    content = (
-        f"Use Metasploit or other tools to test RCE vulnerabilities:\n\n"
-        f"msfconsole -q\n"
-        f"search mongodb\n"
-        f"use exploit/linux/misc/mongodb_target_rce\n"
-        f"set RHOSTS {target_ip}\n"
-        f"run"
-    )
-    run_command(title, content, target_ip, open_ports)
diff --git a/TTPs/rdp.py b/TTPs/rdp.py
new file mode 100644
index 0000000..22f7f00
--- /dev/null
+++ b/TTPs/rdp.py
@@ -0,0 +1,120 @@
+from Modules.Imports.protocol_imports import *
+
+def rdp_submenu(target_ip, open_ports):
+    actions = {
+        "1": {"description": "Source Event Logs", "function": source_event_logs},
+        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
+        "3": {"description": "Source Registry", "function": source_registry},
+        "4": {"description": "Destination Registry", "function": destination_registry},
+        "5": {"description": "Source Artifacts", "function": source_artifacts},
+        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
+        "7": {"description": "Extra", "function": extra_info},
+        "8": {"description": "All", "function": run_all_rdp_checks},
+    }
+    build_submenu("RDP Persistence", target_ip, actions, open_ports)
+
+# Individual submenu functions
+def source_event_logs(target_ip, open_ports):
+    title = "Source Event Logs"
+    content = (
+        f"- `security.evtx`\n"
+        f"  - 4648: Logon specifying alternate credentials (NLA enabled)\n"
+        f"    - Current logged-on User Name\n"
+        f"    - Alternate User Name\n"
+        f"    - Destination Host Name/IP\n"
+        f"    - Process Name\n"
+        f"- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`\n"
+        f"  - 1024: Destination Host Name\n"
+        f"  - 1102: Destination IP Address"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def destination_event_logs(target_ip, open_ports):
+    title = "Destination Event Logs"
+    content = (
+        f"- **Security Event Log** – `security.evtx`\n"
+        f"  - 4624: Logon Type 10\n"
+        f"    - Source IP/Logon User Name\n"
+        f"  - 4778/4779\n"
+        f"    - IP Address of Source/Source System Name\n"
+        f"    - Logon User Name\n"
+        f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n"
+        f"  - 131: Connection Attempts (Source IP)\n"
+        f"  - 98: Successful Connections\n"
+        f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n"
+        f"  - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n"
+        f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n"
+        f"  - 21, 22, 25: Source IP/Logon User Name\n"
+        f"  - 41: Logon User Name"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def source_registry(target_ip, open_ports):
+    title = "Source Registry"
+    content = (
+        f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
+        f"- `ShimCache` – SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
+        f"- `BAM_DAM` – SYSTEM: Last Time Executed (`mstsc.exe`)\n"
+        f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
+        f"- `UserAssist` – `NTUSER.DAT`\n"
+        f"  - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
+        f"- `RecentApps` – `NTUSER.DAT`\n"
+        f"  - Tracks `mstsc.exe` and connection destinations"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def destination_registry(target_ip, open_ports):
+    title = "Destination Registry"
+    content = (
+        f"- `ShimCache` - SYSTEM\n"
+        f"  - Tracks `rdpclip.exe` and `tstheme.exe`\n"
+        f"- `AmCache.hve`: First Time Executed\n"
+        f"  - Tracks `rdpclip.exe` and `tstheme.exe`"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def source_artifacts(target_ip, open_ports):
+    title = "Source File System Artifacts"
+    content = (
+        f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n"
+        f"  - Tracks remote desktop connection destinations and times\n"
+        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
+        f"  - Tracks execution of `mstsc.exe`\n"
+        f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n"
+        f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def destination_artifacts(target_ip, open_ports):
+    title = "Destination File System Artifacts"
+    content = (
+        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
+        f"  - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def extra_info(target_ip, open_ports):
+    title = "Extra Information"
+    content = (
+        f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n"
+        f"- Key Concepts:\n"
+        f"  - RDP_NLA (Network Level Authentication)\n"
+        f"  - RDP_successful_logon event codes\n"
+        f"    - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n"
+        f"  - Understand authentication failures vs. authorization successes"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def run_all_rdp_checks(target_ip, open_ports):
+    title = "Run All RDP Checks"
+    content = "Executing all RDP persistence checks. Please wait..."
+    run_command(title, content, target_ip, open_ports)
+
+    # Sequentially run all functions
+    source_event_logs(target_ip, open_ports)
+    destination_event_logs(target_ip, open_ports)
+    source_registry(target_ip, open_ports)
+    destination_registry(target_ip, open_ports)
+    source_artifacts(target_ip, open_ports)
+    destination_artifacts(target_ip, open_ports)
+    extra_info(target_ip, open_ports)