This analytic rule is designed to detect unauthorized modifications to the Windows Registry that enable Remote Desktop Protocol (RDP) on non-standard port numbers. It specifically monitors changes to the registry path: "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp", focusing on the value associated with "PortNumber". This behavior is often seen in attacker tactics, where modifying RDP settings can facilitate lateral movement across networks and allow attackers to maintain persistent access to compromised systems. The detection uses data from Sysmon's EventID 12 and EventID 13, analyzing when and how this change occurs. If attackers exploit this capability, they may bypass network defenses, establish remote connections, and exert control over the machine. The rule emphasizes the importance of monitoring RDP settings as part of a broader security strategy.