This detection rule targets potential malicious activities associated with the misuse of Remote Desktop Protocol (RDP) Shadowing on Windows systems. Adversaries can exploit RDP Shadowing to observe or take control of another user's session without consent. The rule monitors for modifications in the RDP Shadow registry settings and the execution of specific processes linked to RDP shadowing. It employs EQL (Event Query Language) to identify events within the specified time frame from various logs, including logs for endpoint events, Sysmon operational data, and Microsoft Defender for Endpoint. The rule is classified with a high risk score of 73, indicating a significant threat level, particularly in the context of lateral movement tactics. The investigation guide provides detailed steps for analyzing triggered events, potential false positives, and recommended responses to mitigate unauthorized access.