This detection rule monitors for changes made to the default Remote Desktop Protocol (RDP) port on Windows systems. RDP is essential for remote administration and support, but altering its default port can sometimes be a tactic employed by attackers to obscure unauthorized access. The rule is structured to trigger when modifications are found in the relevant Windows registry path associated with RDP. Specifically, it looks for changes to the 'PortNumber' setting under the path 'Control\Terminal Server\WinStations\RDP-Tcp'. A correct implementation of this rule requires monitoring for any attempts to set the port to anything other than the standard (port 3389), which is indicated by a DWORD (0x00000d3d). This rule assists in identifying potential unauthorized alterations to RDP settings that may indicate malicious activity or an attempt to bypass security protocols.