This analytic rule detects modifications in the Windows registry that enable the Remote Desktop Protocol (RDP) on a targeted system, utilizing data from the Endpoint Registry data model, specifically monitoring changes to the 'fDenyTSConnections' registry value. The detection logic triggers when the registry value is set to '0x00000000', indicating that RDP access is allowed. This behavior is notably uncommon and raises security concerns, as it is often exploited by adversaries or malware to gain unauthorized remote access to systems. Successful remote access can lead to further exploits and lateral movement within the network, making this detection rule critical for organizations to monitor changes in remote access capabilities. To implement the search, organizations must ensure that Sysmon logs are ingested and configured properly to capture the necessary registry keys. However, false positives may arise when system administrators enable or disable RDP within the organization.