```yaml title: RDP Enablement via Registry or Firewall Modification id: edr-win-lat-rdp-enable status: stable description: > Detects remote or interactive enablement of RDP on endpoints where it was previously disabled. Operators flip fDenyTSConnections to 0 and enable the Remote Desktop firewall rule as a precursor to lateral movement, persistence, or pre-encryption access. Observed in Play, Akira, Embargo, Chaos, and multiple CISA StopRansomware advisories. references: - https://attack.mitre.org/techniques/T1021/001/ - https://attack.mitre.org/techniques/T1112/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a author: ShroudCloud date: 2026/04/16 tags: - attack.lateral_movement - attack.defense_evasion - attack.t1021.001 - attack.t1112 logsource: category: process_creation product: windows detection: selection_reg: Image|endswith: - '\reg.exe' - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' CommandLine|contains|all: - 'fDenyTSConnections' - 'REG_DWORD' - '/d 0' selection_reg_path: CommandLine|contains: - 'Terminal Server' - 'CurrentControlSet\Control\Terminal Server' selection_firewall: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - 'Enable-NetFirewallRule' - 'Remote Desktop' selection_netsh: Image|endswith: '\netsh.exe' CommandLine|contains|all: - 'firewall' - 'rule' CommandLine|contains: - 'localport=3389' - 'group="Remote Desktop"' - 'group=remote desktop' filter_gpo: ParentImage|endswith: - '\gpscript.exe' - '\gpupdate.exe' condition: ((selection_reg and selection_reg_path) or selection_firewall or selection_netsh) and not filter_gpo falsepositives: - Legitimate IT admin enabling RDP on a new workstation (baseline by parent + deployment workflow) - GPO-driven RDP rollout (filtered by gpscript parent) level: high ```