Elastic Security Detection Rules

Anomalous React Server Components Flight Data Patterns

Last updated 3 months ago on 2025-12-05
Created 3 months ago on 2025-12-05

About

This rule detects anomalous patterns in React Server Components (RSC) Flight protocol data streams that may indicate code injection or exploitation attempts. The Flight protocol is used by React and Next.js for server-client communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or eval patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further investigation.
Tags
Domain: NetworkDomain: ApplicationDomain: WebUse Case: Threat DetectionTactic: Initial AccessTactic: ExecutionData Source: Network Packet CaptureRule Type: BBRLanguage: eql
Severity
low
Risk Score
21
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-network_traffic.http*
Related Integrations

network_traffic(external, opens in a new tab or window)

Query
text code block:
network where http.request.method == "POST" and http.response.status_code != 200 and
(
    // Node.js child_process module
    (
        http.request.body.content like~ "*require('child_process')*" or
        http.request.body.content like~ "*require(\"child_process\")*" or
        http.request.body.content like~ "*child_process*" and http.request.body.content like~ "*.exec*"
    ) or
    // Node.js synchronous execution methods
    (
        http.request.body.content like~ "*.execSync(*" or
        http.request.body.content like~ "*.spawnSync(*" or
        http.request.body.content like~ "*.execFileSync(*"
    ) or
    // Node.js file system operations - suspicious in RSC context
    (
        http.request.body.content like~ "*require('fs')*" or
        http.request.body.content like~ "*require(\"fs\")*" or
        http.request.body.content like~ "*.readFileSync(*" or
        http.request.body.content like~ "*.writeFileSync(*" or
        http.request.body.content like~ "*.unlinkSync(*"
    ) or
    // Process and module access patterns used in exploitation
    (
        http.request.body.content like~ "*process.mainModule*" or
        http.request.body.content like~ "*process.binding*" or
        http.request.body.content like~ "*process.dlopen*"
    ) or
    // JavaScript code execution primitives
    (
        http.request.body.content like~ "*eval(*" and http.request.body.content like~ "*require*" or
        http.request.body.content like~ "*Function(*" and http.request.body.content like~ "*return*"
    ) or
    // Generic prototype pollution indicators
    (
        http.request.body.content like~ "*prototype*" and http.request.body.content like~ "*constructor*"
    )
)

Install detection rules in Elastic Security

Detect Anomalous React Server Components Flight Data Patterns in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).