This detection rule identifies whether the Remote Desktop Protocol (RDP) service has been enabled on Windows hosts by analyzing endpoint data logs. The rule leverages the Windows event code for process creation (4688) to monitor for specific command-line invocations that indicate RDP activation. It checks for instances where the 'reg.exe' utility is used to set the registry key 'fDenyTSConnections' to '0', which allows RDP connections, and also monitors for 'netsh.exe' commands that explicitly enable RDP. The presence of this service can indicate potential lateral movement behaviors by threat actors, particularly in the context of various ransomware groups and APTs that utilize RDP for remote access. The rule creates a report summarizing relevant information, including timestamps, hostnames, users, and process details, enabling effective monitoring and response to potential intrusions. The targeted threats include prominent actors like APT35, DarkSide, and groups associated with ransomware such as Conti and Lockbit, indicating high-risk scenarios where monitoring for RDP activation is crucial.