This detection rule is designed to identify the use of a scanner that targets systems vulnerable to the CVE-2019-0708 vulnerability, also known as BlueKeep, which affects the Remote Desktop Protocol (RDP) on Windows machines. The rule is based on specific Windows security events, particularly focusing on failed login attempts where the username matches 'AAAAAAA', indicative of automated scanning activities seeking RDP vulnerabilities. Its effectiveness is derived from recognizing these anomalous login events, helping to alert security teams to potential lateral movement attempts by adversaries leveraging the BlueKeep vulnerability. The rule has a high confidence level due to the specificity of the identified event conditions. False positives are deemed unlikely, making this rule a reliable tool for monitoring potential RDP exploitation activities across Windows environments.