How to detect React2Shell attacks using network-based threat hunting

How do you find React2Shell vulnerabilities or detect React2Shell attacks in real environments?

In this video, Corelight cloud security researcher David Burkett walks through how to threat hunt React2Shell by focusing on post-exploitation behavior at the network level. Instead of relying on exploit signatures, the approach uses application baselining and network traffic analysis to identify abnormal behavior.

Using Zeek network data and the PEAK threat hunting framework, David shows how to detect reverse shells, network scanning, and lateral movement, even when traffic is encrypted or TLS decryption is unavailable. This method applies to cloud workloads and internet-facing applications where React2Shell attacks are commonly exploited.