Ethan-Andrews/Exploitarium-Detections
GitHub: Ethan-Andrews/Exploitarium-Detections
一套针对 exploitarium 匿名漏洞披露研究的 KQL 检测规则集,为 Microsoft Sentinel 和 Defender XDR 提供覆盖 15 个漏洞目标、6 个 CVE 的威胁检测能力。
Stars: 40 | Forks: 28
# Exploitarium-Detections# Exploitarium KQL 检测覆盖范围
适用于 Microsoft Sentinel 和 Defender XDR 的 KQL 检测规则,涵盖 **bikini/exploitarium**
匿名披露 —— 一个包含 15 个不同漏洞目标的个人研究档案,涉及
109 个被跟踪文件,于 2026 年 6 月 23 日在未通知供应商的情况下发布。
**44 条规则** | **KQL** | **作者:** Ethan Andrews ([@eandrews](https://detections.ai/user/eandrews))
情报报告:https://systemtwosecurity.com/share/inspiration/VNJMKFVM
## 背景
一位昵称为 'bikini' 的匿名研究者发布了 exploitarium,这是一个包含
15 个不同漏洞目标(15 个文件夹中的 109 个被跟踪文件)的概念验证(PoC)研究的 GitHub repo。该 repo 尚处初期 —— 9 次 commit、9 个 star、1 个 fork —— 代表了一位研究者的个人档案,而非一个大型的协调攻击工具包。
**范围澄清:** 该 repo 包含 15 个不同的漏洞研究目标。每个文件夹的文件数量
反映了单个文件(脚本、payload、辅助程序、README)—— 而不是不同的 CVE。
研究者的 README 指出,这些漏洞在发布时均未上报。
最具技术意义的发现 —— libssh2 预认证堆写入和 Gitea 默认 Docker 认证绕过 —— 已被独立验证为高风险,并观察到了积极的漏洞利用。部分条目已被社区驳回,认为其属于低影响的 AI-fuzzing 噪音。
## Exploitarium 文件夹细分
| 文件夹 | 跟踪文件数 |
|--------|--------------|
| objdump-dlx-calc-poc | 41 |
| ghidra-12.1.2-rce-ace-calc-poc | 9 |
| openvpn-connect-echo-script-ace-poc | 8 |
| lunar-modrinth-chain-poc | 6 |
| docker-cp-copyout-destination-escape | 5 |
| imagemagick-gs-delegate-hijack-poc | 5 |
| mybb-limited-acp-to-admin | 5 |
| nmap-ipv6-extlen-wrap-poc | 4 |
| anydesk-printer-com-impersonation-poc | 4 |
| gitea-act-runner-container-options-poc | 4 |
| 7zip-rar5-motw-chain-poc | 3 |
| flowise-mcp-env-case-bypass-poc | 3 |
| floci-apigateway-vtl-rce-poc | 3 |
| libssh2-cve-2026-55200-poc | 3 |
| vlc-vp9-reschange-crash-poc | 3 |
| **总计** | **109** |
## 仓库结构
```
exploitarium-detections/
├── detections/
│ ├── 7zip/ # MOTW bypass x3 (rules 02, 27, 28)
│ ├── anydesk/ # COM hijack DLL, named pipe, PE fingerprint recon (rules 06, 36, 17)
│ ├── c-ares/ # TCP UAF NDR sequence, linkage recon, DNS failure spike (rules 07, 08, 41)
│ ├── docker/ # Privileged container host mount shell spawn (rule 38)
│ ├── exploitarium-generic/ # calc.exe PoC generic, multi-CVE sweep (rules 22, 44)
│ ├── firefox/ # SmartWindow silent enablement (rule 09)
│ ├── flowise/ # Unauthorized API access (rule 37)
│ ├── ghidra/ # Headless analyzer suspicious script execution (rule 40)
│ ├── imagemagick/ # Policy bypass delegate execution (rule 39)
│ ├── libssh2/ # Pre-auth RCE, DoS x2, scaffold x2, heap corruption, recon (rules 01, 12, 13, 24, 25, 26, 35)
│ ├── lunar-client/ # Electron IPC preload, Modrinth gameDirectory abuse (rules 15, 16)
│ ├── mybb/ # ACP privilege escalation x2 (rules 05, 21)
│ ├── nmap/ # IPv6 ExtLen wrap PoC (rule 18)
│ ├── openvpn/ # PAC injection, echo script ACE, DHCP option injection (rules 14, 42, CVE-2026-45115)
│ ├── php/ # SOAP RCE, ASLR bypass (rules 10, 11)
│ ├── rustdesk/ # Session bypass x4 (rules 03, 19, 23, 33, 34)
│ ├── splunk/ # splunkd child process, reverse shell, REST API, PoC artifact (rules 20, 31, 32, 43)
│ └── vlc/ # VP9 crash/child spawn, WER report, VP9 decode child (rules 04, 29, 30)
└── docs/
└── COVERAGE.md # Full rule index with MITRE and CVE mapping
```
## 按产品覆盖
| 产品 | 规则 | CVE |
|---------|-------|------|
| libssh2 | 7 | CVE-2026-55200, CVE-2026-55199 |
| Splunk | 4 | CVE-2026-20253 |
| RustDesk | 4 | CVE-2026-46331 |
| 7-Zip | 3 | CVE-2026-45115 |
| VLC | 3 | CVE-2026-20896 |
| AnyDesk | 3 | — |
| OpenVPN Connect | 3 | CVE-2026-45115 |
| c-ares | 3 | — |
| MyBB | 2 | — |
| PHP | 2 | — |
| Lunar Client | 2 | — |
| Exploitarium 通用 | 2 | — |
| Docker | 1 | — |
| Firefox | 1 | — |
| Flowise | 1 | — |
| Ghidra | 1 | — |
| ImageMagick | 1 | — |
| Nmap | 1 | — |
## CVE 覆盖
| CVE | CVSS | 受影响对象 | 规则 |
|-----|------|----------|-------|
| CVE-2026-55200 | 9.2 | libssh2 ≤1.11.1(传递影响:curl、Git、PHP) | 5 |
| CVE-2026-55199 | — | libssh2 因密钥交换 CPU 占用导致的 DoS | 2 |
| CVE-2026-20253 | — | Splunk splunkd RCE | 4 |
| CVE-2026-46331 | — | RustDesk 会话权限绕过 | 4 |
| CVE-2026-45115 | — | 7-Zip MOTW 绕过 + OpenVPN ACE | 4 |
| CVE-2026-20896 | — | VLC VP9 堆损坏 | 3 |
## 平台覆盖
| 平台 | 规则 |
|----------|-------|
| Windows | 35 |
| Linux | 22 |
| macOS | 4 |
| 容器/运行时 | 3 |
| 网络 (NDR/CSL) | 1 |
| SaaS | 1 |
## 优先规则 —— 优先行动
1. `libssh2/cve-2026-55200-pre-auth-rce-child-process.kql` — CVSS 9.2,处于积极利用中
2. `libssh2/libssh2-linkage-recon-ldd-readelf-strings.kql` — 捕获漏洞利用前的侦测
3. `libssh2/cve-2026-55200-libpwn-harness-binaries-endpoint.kql` — 磁盘上的 harness 二进制文件
4. `exploitarium-generic/multi-cve-exploitarium-sweep-simultaneous-poc.kql` — 最广泛的扫描
5. `splunk/cve-2026-20253-splunkd-unexpected-child-process.kql` — 高价值企业目标
6. `rustdesk/rustdesk-session-permission-bypass-comprehensive.kql` — 完整的多分支覆盖
## 规则索引(PDF 标准顺序)
| # | 文件 | CVE |
|---|------|-----|
| 01 | libssh2/cve-2026-55200-pre-auth-rce-child-process.kql | CVE-2026-55200 |
| 02 | 7zip/7zip-rar5-motw-bypass-extracted-exe-launch.kql | CVE-2026-45115 |
| 03 | rustdesk/rustdesk-session-permission-bypass-comprehensive.kql | CVE-2026-46331 |
| 04 | vlc/vlc-vp9-resolution-change-crash-child-spawn.kql | CVE-2026-20896 |
| 05 | mybb/mybb-acp-privesc-limited-admin-template-plugin.kql | — |
| 06 | anydesk/anydesk-printer-com-hijack-dll-load.kql | — |
| 07 | c-ares/c-ares-tcp-uaf-dns-formerr-rst-ndr.kql | — |
| 08 | c-ares/c-ares-linkage-discovery-ldd-readelf-recon.kql | — |
| 09 | firefox/firefox-smartwindow-silent-enable-attacker-endpoint.kql | — |
| 10 | php/php-857-soap-rce-heap-spray.kql | — |
| 11 | php/php-aslr-defeat-proc-self-maps-mem.kql | — |
| 12 | libssh2/cve-2026-55200-malicious-ssh-scaffold-cipher-negotiation.kql | CVE-2026-55200 |
| 13 | libssh2/cve-2026-55200-libpwn-scaffold-execution.kql | CVE-2026-55200 |
| 14 | openvpn/openvpn-pac-autoconfigurl-injection.kql | — |
| 15 | lunar-client/lunar-client-electron-preload-ipc-privesc.kql | — |
| 16 | lunar-client/lunar-client-modrinth-ipc-gamedirectory-abuse.kql | — |
| 17 | anydesk/anydesk-976-pe-fingerprint-recon.kql | — |
| 18 | nmap/nmap-ipv6-extlen-wrap-poc-compilation-execution.kql | — |
| 19 | rustdesk/rustdesk-anomalous-relay-connection-ports.kql | CVE-2026-46331 |
| 20 | splunk/cve-2026-20253-splunkd-unexpected-child-process.kql | CVE-2026-20253 |
| 21 | mybb/mybb-limited-acp-accessing-superadmin-functions.kql | — |
| 22 | exploitarium-generic/exploitarium-poc-calc-spawned-by-anomalous-parent.kql | — |
| 23 | rustdesk/rustdesk-session-permission-bypass-comprehensive.kql | CVE-2026-46331 |
| 24 | libssh2/libssh2-linkage-recon-ldd-readelf-strings.kql | CVE-2026-55200 |
| 25 | libssh2/cve-2026-55199-libssh2-dos-cpu-spin.kql | CVE-2026-55199 |
| 26 | libssh2/libssh2-publickey-heap-corruption-poc.kql | CVE-2026-55200 |
| 27 | 7zip/cve-2026-45115-7zip-motw-archive-extraction-temp-execution.kql | CVE-2026-45115 |
| 28 | 7zip/cve-2026-45115-7zip-rar5-motw-zone-identifier-absent.kql | CVE-2026-45115 |
| 29 | vlc/cve-2026-20896-vlc-vp9-crash-dump-wer-report.kql | CVE-2026-20896 |
| 30 | vlc/cve-2026-20896-vlc-suspicious-child-process-vp9-decode.kql | CVE-2026-20896 |
| 31 | splunk/cve-2026-20253-splunk-rce-reverse-shell-indicators.kql | CVE-2026-20253 |
| 32 | splunk/cve-2026-20253-splunk-malicious-search-command-rest-api.kql | CVE-2026-20253 |
| 33 | rustdesk/cve-2026-46331-rustdesk-unauthenticated-relay-forged-token.kql | CVE-2026-46331 |
| 34 | rustdesk/cve-2026-46331-rustdesk-relay-server-impersonation-nonstandard-port.kql | CVE-2026-46331 |
| 35 | libssh2/cve-2026-55199-libssh2-dos-malformed-kex-init-flood.kql | CVE-2026-55199 |
| 36 | anydesk/anydesk-com-printer-pipe-named-pipe-creation.kql | — |
| 37 | flowise/flowise-ai-server-unauthorized-api-access-prompt-injection.kql | — |
| 38 | docker/docker-container-escape-privileged-host-mount-shell.kql | — |
| 39 | imagemagick/imagemagick-policy-bypass-delegate-execution.kql | — |
| 40 | ghidra/ghidra-headless-analyzer-suspicious-script-execution.kql | — |
| 41 | c-ares/c-ares-tcp-uaf-dns-resolution-failure-spike.kql | — |
| 42 | openvpn/openvpn-dhcp-option-injection-autoconfigurl-registry.kql | — |
| 43 | splunk/cve-2026-20253-splunk-exploit-poc-script-artifact.kql | CVE-2026-20253 |
| 44 | exploitarium-generic/multi-cve-exploitarium-sweep-simultaneous-poc.kql | 全部 6 个 CVE |
## 用法
每个 `.kql` 文件都包含完整的规则正文以及元数据标头(严重程度、平台、
MITRE ID、CVE、detections.ai 链接)。直接作为计划查询导入到 Sentinel,
或作为自定义检测导入到 Defender XDR。
通过 [detections.ai 语言翻译功能](https://detections.ai),还可以在 Splunk SPL、Elastic、Chronicle 和其他技术栈中使用这些规则。
## 作者
**Ethan Andrews**
受信任的贡献者 —— [detections.ai](https://detections.ai/user/eandrews)
标签:DNS 反向解析, KQL, Microsoft Defender XDR, Microsoft Sentinel, Web报告查看器, 安全检测规则