This detection rule identifies the activity associated with the Metasploit Meterpreter establishing a reverse shell on a target system, often exploited using vulnerabilities such as EternalBlue and used in notable attacks like WannaCry. The detection logic utilizes various Windows Event Codes to track suspicious behavior, focusing on inbound connections, authentication failures, and possible command execution via various script interpreters. The structure of the rule includes conditions for scrutinizing event logs for specific signature IDs indicative of Meterpreter reverse shell activity, along with filtering to isolate relevant events. Additionally, the rule leverages transaction and regex functions to correlate events, ensuring that the activities are tracked accurately over a defined timeframe. It is aimed at identifying lateral movement and command-and-control activities conducted by sophisticated threat actors associated with various malware families and campaigns.