KQL detection rules for Microsoft Sentinel and Defender XDR covering the bikini/exploitarium anonymous disclosure — a personal research archive of 15+ distinct vulnerability targets across 109+ tracked files, released without vendor notification on June 23, 2026.

54 rules | 23 product folders | KQL | Author: Ethan Andrews (@eandrews)

Last Updated: 7/1/2026

Intel report: https://systemtwosecurity.com/share/inspiration/VNJMKFVM


Background

An anonymous researcher known as 'bikini' released exploitarium, a GitHub repo containing proof-of-concept research across 15+ distinct vulnerability targets (109+ tracked files across 15+ folders). The repo is actively updated — new entries are being added as the researcher continues publishing work.

Scope clarification: The repo contains 15 distinct vulnerability research targets. File counts per folder reflect individual files (scripts, payloads, helpers, READMEs) — not distinct CVEs. The researcher's README notes these were unreported at time of posting and explicitly invites others to file CVEs.

The most technically significant findings — libssh2 pre-auth heap write and Gitea default Docker auth bypass — have been independently verified as high-risk with active exploitation observed. Some entries have been dismissed by the community as low-impact noise.


Exploitarium Folder Breakdown

Folder Tracked Files
objdump-dlx-calc-poc 41
ghidra-12.1.2-rce-ace-calc-poc 9
openvpn-connect-echo-script-ace-poc 8
lunar-modrinth-chain-poc 6
docker-cp-copyout-destination-escape 5
imagemagick-gs-delegate-hijack-poc 5
mybb-limited-acp-to-admin 5
nmap-ipv6-extlen-wrap-poc 4
anydesk-printer-com-impersonation-poc 4
gitea-act-runner-container-options-poc 4
7zip-rar5-motw-chain-poc 3
flowise-mcp-env-case-bypass-poc 3
floci-apigateway-vtl-rce-poc 3
libssh2-cve-2026-55200-poc 3
vlc-vp9-reschange-crash-poc 3
Total 109

Repository Structure

Exploitarium-Detections/
├── 7zip/                 # MOTW bypass x3 (rules 02, 27, 28)
├── anydesk/              # COM hijack DLL, named pipe, PE fingerprint recon (rules 06, 17, 36)
├── c-ares/               # TCP UAF NDR sequence, linkage recon, DNS failure spike (rules 07, 08, 41)
├── curl/                 # SMTP CRLF injection attempt + PoC artifact (rules 45, 46)
├── docker/               # Privileged container host mount shell spawn (rule 38)
├── exploitarium-generic/ # calc.exe PoC generic, multi-CVE sweep (rules 22, 44)
├── ffmpeg/               # (reserved)
├── firefox/              # SmartWindow silent enablement (rule 09)
├── flowise/              # Unauthorized API access (rule 37)
├── ghidra/               # Headless analyzer suspicious script execution (rule 40)
├── imagemagick/          # Policy bypass delegate execution (rule 39)
├── libarchive/           # ZIP debuginfod size boundary bypass x2 (rules 51, 52)
├── libssh2/              # Pre-auth RCE, DoS x2, scaffold x2, heap corruption, recon (rules 01, 12, 13, 24, 25, 26, 35)
├── lunar-client/         # Electron IPC preload, Modrinth gameDirectory abuse (rules 15, 16)
├── mybb/                 # ACP privilege escalation x2 (rules 05, 21)
├── nextjs/               # unstable_cache PoC execution, cache object collision (rules 49, 50)
├── nmap/                 # IPv6 ExtLen wrap PoC (rule 18)
├── nodebb/               # ActivityPub UID spoof x2 (rules 47, 48)
├── openvpn/              # PAC injection, echo script ACE, DHCP option injection (rules 14, 42, CVE-2026-45115)
├── php/                  # SOAP RCE, ASLR bypass (rules 10, 11)
├── pillow/               # ImageCms OOB write PoC execution + crash detection (rules 53, 54, 55)
├── rustdesk/             # Session bypass x4 (rules 03, 19, 23, 33, 34)
├── splunk/               # splunkd child process, reverse shell, REST API, PoC artifact (rules 20, 31, 32, 43)
└── vlc/                  # VP9 crash/child spawn, WER report, VP9 decode child (rules 04, 29, 30)

Coverage by Product

Product Rules CVEs
libssh2 7 CVE-2026-55200, CVE-2026-55199
Splunk 4 CVE-2026-20253
RustDesk 4 CVE-2026-46331
7-Zip 3 CVE-2026-45115
VLC 3 CVE-2026-20896
AnyDesk 3
OpenVPN Connect 3 CVE-2026-45115
c-ares 3
curl 2
libarchive 2
MyBB 2
PHP 2
Lunar Client 2
Next.js 2
NodeBB 2
Pillow 2
Exploitarium Generic 2
Docker 1
Firefox 1
Flowise 1
Ghidra 1
ImageMagick 1
Nmap 1

CVE Coverage

CVE CVSS Affected Rules
CVE-2026-55200 9.2 libssh2 ≤1.11.1 (transitive: curl, Git, PHP) 5
CVE-2026-55199 libssh2 DoS via key exchange CPU spin 2
CVE-2026-20253 Splunk splunkd RCE 4
CVE-2026-46331 RustDesk session permission bypass 4
CVE-2026-45115 7-Zip MOTW bypass + OpenVPN ACE 4
CVE-2026-20896 VLC VP9 heap corruption 3

Platform Coverage

Platform Rules
Windows 38
Linux 25
macOS 6
Container/Runtime 3
Network (NDR/CSL) 1
SaaS 1

Priority Rules — Action First

  1. libssh2/cve-2026-55200-pre-auth-rce-child-process.kql — CVSS 9.2, active exploitation
  2. libssh2/libssh2-linkage-recon-ldd-readelf-strings.kql — catch pre-exploitation recon
  3. libssh2/cve-2026-55200-libpwn-harness-binaries-endpoint.kql — harness binaries on disk
  4. exploitarium-generic/multi-cve-exploitarium-sweep-simultaneous-poc.kql — broadest sweep
  5. splunk/cve-2026-20253-splunkd-unexpected-child-process.kql — high-value enterprise target
  6. rustdesk/rustdesk-session-permission-bypass-comprehensive.kql — full multi-branch coverage
  7. curl/curl-smtp-expn-crlf-injection-attempt.kql — relevant for any mail-sending SaaS using libcurl

Rule Index

# Folder File CVE
01 libssh2 cve-2026-55200-pre-auth-rce-child-process.kql CVE-2026-55200
02 7zip 7zip-rar5-motw-bypass-extracted-exe-launch.kql CVE-2026-45115
03 rustdesk rustdesk-session-permission-bypass-comprehensive.kql CVE-2026-46331
04 vlc vlc-vp9-resolution-change-crash-child-spawn.kql CVE-2026-20896
05 mybb mybb-acp-privesc-limited-admin-template-plugin.kql
06 anydesk anydesk-printer-com-hijack-dll-load.kql
07 c-ares c-ares-tcp-uaf-dns-formerr-rst-ndr.kql
08 c-ares c-ares-linkage-discovery-ldd-readelf-recon.kql
09 firefox firefox-smartwindow-silent-enable-attacker-endpoint.kql
10 php php-857-soap-rce-heap-spray.kql
11 php php-aslr-defeat-proc-self-maps-mem.kql
12 libssh2 cve-2026-55200-malicious-ssh-scaffold-cipher-negotiation.kql CVE-2026-55200
13 libssh2 cve-2026-55200-libpwn-scaffold-execution.kql CVE-2026-55200
14 openvpn openvpn-pac-autoconfigurl-injection.kql
15 lunar-client lunar-client-electron-preload-ipc-privesc.kql
16 lunar-client lunar-client-modrinth-ipc-gamedirectory-abuse.kql
17 anydesk anydesk-976-pe-fingerprint-recon.kql
18 nmap nmap-ipv6-extlen-wrap-poc-compilation-execution.kql
19 rustdesk rustdesk-anomalous-relay-connection-ports.kql CVE-2026-46331
20 splunk cve-2026-20253-splunkd-unexpected-child-process.kql CVE-2026-20253
21 mybb mybb-limited-acp-accessing-superadmin-functions.kql
22 exploitarium-generic exploitarium-poc-calc-spawned-by-anomalous-parent.kql
23 rustdesk rustdesk-session-permission-bypass-comprehensive.kql CVE-2026-46331
24 libssh2 libssh2-linkage-recon-ldd-readelf-strings.kql CVE-2026-55200
25 libssh2 cve-2026-55199-libssh2-dos-cpu-spin.kql CVE-2026-55199
26 libssh2 libssh2-publickey-heap-corruption-poc.kql CVE-2026-55200
27 7zip cve-2026-45115-7zip-motw-archive-extraction-temp-execution.kql CVE-2026-45115
28 7zip cve-2026-45115-7zip-rar5-motw-zone-identifier-absent.kql CVE-2026-45115
29 vlc cve-2026-20896-vlc-vp9-crash-dump-wer-report.kql CVE-2026-20896
30 vlc cve-2026-20896-vlc-suspicious-child-process-vp9-decode.kql CVE-2026-20896
31 splunk cve-2026-20253-splunk-rce-reverse-shell-indicators.kql CVE-2026-20253
32 splunk cve-2026-20253-splunk-malicious-search-command-rest-api.kql CVE-2026-20253
33 rustdesk cve-2026-46331-rustdesk-unauthenticated-relay-forged-token.kql CVE-2026-46331
34 rustdesk cve-2026-46331-rustdesk-relay-server-impersonation-nonstandard-port.kql CVE-2026-46331
35 libssh2 cve-2026-55199-libssh2-dos-malformed-kex-init-flood.kql CVE-2026-55199
36 anydesk anydesk-com-printer-pipe-named-pipe-creation.kql
37 flowise flowise-ai-server-unauthorized-api-access-prompt-injection.kql
38 docker docker-container-escape-privileged-host-mount-shell.kql
39 imagemagick imagemagick-policy-bypass-delegate-execution.kql
40 ghidra ghidra-headless-analyzer-suspicious-script-execution.kql
41 c-ares c-ares-tcp-uaf-dns-resolution-failure-spike.kql
42 openvpn openvpn-dhcp-option-injection-autoconfigurl-registry.kql
43 splunk cve-2026-20253-splunk-exploit-poc-script-artifact.kql CVE-2026-20253
44 exploitarium-generic multi-cve-exploitarium-sweep-simultaneous-poc.kql All 6 CVEs
45 curl curl-smtp-expn-crlf-injection-attempt.kql
46 curl curl-smtp-expn-crlf-poc-artifact-detection.kql
47 nodebb nodebb-activitypub-uid-spoof-poc-execution.kql
48 nodebb nodebb-activitypub-attributedto-uid-spoof-outbound-actor-fetch.kql
49 nextjs nextjs-unstable-cache-poc-execution.kql
50 nextjs nextjs-unstable-cache-object-argument-collision-cache-poisoning.kql
51 libarchive libarchive-zip-debuginfod-size-boundary-poc-execution.kql
52 libarchive libarchive-debuginfod-zip-size-boundary-bypass-poc.kql
53 pillow pillow-imagecms-oob-write-poc-execution.kql
54 pillow pillow-imagecms-oob-write-crash-detection.kql

Usage

Each .kql file contains the full rule body plus a metadata header (severity, platforms, MITRE IDs, CVEs, detections.ai link). Import directly into Sentinel as a scheduled query rule or Defender XDR as a custom detection.

Rules are also available in Splunk SPL, Elastic, Chronicle, and other stacks via the detections.ai language translation feature.


Author

Ethan Andrews Trusted Contributor — detections.ai