This detection rule targets potential tampering with Remote Desktop Protocol (RDP) registry keys through the execution of `reg.exe`. When an attacker seeks to enable or disable the RDP service, they might manipulate the registry settings located at 'CurrentControlSet\Control\Terminal Server'. The rule captures instances where `reg.exe` is used with specific command-line arguments that indicate an attempt to modify relevant RDP values. It specifically looks for any command that involves adding or changing DWORD values in the aforementioned registry path, which is typical behavior seen in lateral movement and defense evasion tactics. The detection engine is configured to alert when there is an execution of `reg.exe` that meets the criteria of altering settings like `EnableConcurrentSessions`, `MaxInstanceCount`, and others that dictate RDP behavior. By flagging these actions, the organization can respond timely to unauthorized access attempts, as these can lead to broader compromises if not addressed promptly.