EXPLORE DETECTIONS
Rapid7 Threat Command CVEs Correlation
This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment.
Rare AWS Error Code
A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
Rare Azure Activity Logs Event Failures
A machine learning job detected an unusual failure in an Azure Activity Logs message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
Rare Connection to WebDAV Target
Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication.
Rare GCP Audit Failure Event Code
A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
Rare Powershell Script
A machine learning job detected a rare PowerShell script, identified by its script block hash, that may indicate execution of malware, or persistence mechanisms. Unlike anomaly detection based on content entropy, this rule identifies scripts that have rarely or never been seen in the environment.
Rare SMB Connection to the Internet
This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.
Rare User Logon
A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.
rc.local/rc.common File Creation
This rule monitors the creation of the rc.local/rc.common files. The "/etc/rc.local" file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.
RDP (Remote Desktop Protocol) from the Internet
This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.
RDP Enabled via Registry
Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.
React2Shell (CVE-2025-55182) Exploitation Attempt
This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful command execution responses and prototype pollution attack patterns.
React2Shell Network Security Alert
This rule identifies network security alerts related to CVE-2025-55182 exploitation attempts from different network security integrations. CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the Function constructor.
Registry Persistence via AppCert DLL
Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.
Registry Persistence via AppInit DLL
AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.
Remote Computer Account DnsHostName Update
Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.
Remote Desktop Enabled in Windows Firewall by Netsh
Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.
Remote Desktop File Opened from Suspicious Path
Identifies attempts to open a remote desktop file from suspicious paths. Adversaries may abuse RDP files for initial access.
Remote Execution via File Shares
Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.
Remote File Copy to a Hidden Share
Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Remote File Copy via TeamViewer
Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.
Remote File Creation in World Writeable Directory
This rule detects the creation of a file in a world-writeable directory through a service that is commonly used for file transfer. This behavior is often associated with lateral movement and can be an indicator of an attacker attempting to move laterally within a network.
Remote File Download via Desktopimgdownldr Utility
Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Remote File Download via MpCmdRun
Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.