This rule detects modifications to the registry that enable Remote Desktop Protocol (RDP) access on Windows systems. The particular registry key of interest is `fDenyTSConnections`, which is set to `0` to allow RDP connections. These modifications may signal preparatory activity for lateral movement by an adversary, who could exploit RDP for unauthorized access to systems. The rule utilizes various data sources, including endpoint logs and Windows Sysmon events, to monitor changes to this registry key, particularly looking for suspicious context such as unauthorized processes initiating the changes. The analysis section provides a comprehensive guide for investigators, including understanding legitimate and illegitimate use of RDP and suggesting steps for further investigation while maintaining a focus on false positives and proper incident response measures.