This detection rule identifies the use of the `netsh` command-line utility in Windows to open and permit connections to the RDP service on the default port 3389. This activity is associated with the Sarwent malware, which has been observed manipulating network settings to facilitate remote access. By monitoring command-line executions for specific patterns indicative of RDP enabling commands, the rule targets scenarios where attackers might be attempting to evade detection or gain unauthorized access through remote connections. The detection logic captures instances where `netsh.exe` is executed with arguments that indicate firewall modifications allowing RDP traffic, which is a common tactic in exploitation playbooks.