Rule Document 1:66581

Rule Category

OS-WINDOWS -- Snort has detected traffic targeting vulnerabilities in a Windows-based operating system. This does not include browser traffic or other software on the OS, but attacks against the OS itself. (such as?)

Alert Message

OS-WINDOWS Microsoft Windows Remote Desktop Client remote code execution attempt

Rule Explanation

This rule looks for bytes known to be specific to traffic that is intended to exploit a remote code execution in the Microsoft Windows Remote Desktop Client.

What To Look For

This rule looks for attempts to exploit a remote code execution vulnerability in Microsoft Windows Remote Desktop Client.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Initial Access::External Remote Services

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services.

Rule Categories::Operating Systems::Windows

CVE

CVE-2026-42985

Additional Links

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42985

Rule Vulnerability

Use After Free

Use After Free (UAF) attacks target computer memory flaws to corrupt the memory execute code. The name refers to attempts to use memory after it has been freed, which can cause a program to crash under normal circumstances, or result in remote code execution in a successful attack.

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

CVE-2026-42985

Loading description