KQL detection rules for Microsoft Sentinel and Defender XDR covering the bikini/exploitarium anonymous disclosure — a personal research archive of 15+ distinct vulnerability targets across 109+ tracked files, released without vendor notification on June 23, 2026.
54 rules | 23 product folders | KQL | Author: Ethan Andrews (@eandrews)
Last Updated: 7/1/2026
Intel report: https://systemtwosecurity.com/share/inspiration/VNJMKFVM
Background
An anonymous researcher known as 'bikini' released exploitarium, a GitHub repo containing proof-of-concept research across 15+ distinct vulnerability targets (109+ tracked files across 15+ folders). The repo is actively updated — new entries are being added as the researcher continues publishing work.
Scope clarification: The repo contains 15 distinct vulnerability research targets. File counts per folder reflect individual files (scripts, payloads, helpers, READMEs) — not distinct CVEs. The researcher's README notes these were unreported at time of posting and explicitly invites others to file CVEs.
The most technically significant findings — libssh2 pre-auth heap write and Gitea default Docker auth bypass — have been independently verified as high-risk with active exploitation observed. Some entries have been dismissed by the community as low-impact noise.
Exploitarium Folder Breakdown
| Folder | Tracked Files |
|---|---|
| objdump-dlx-calc-poc | 41 |
| ghidra-12.1.2-rce-ace-calc-poc | 9 |
| openvpn-connect-echo-script-ace-poc | 8 |
| lunar-modrinth-chain-poc | 6 |
| docker-cp-copyout-destination-escape | 5 |
| imagemagick-gs-delegate-hijack-poc | 5 |
| mybb-limited-acp-to-admin | 5 |
| nmap-ipv6-extlen-wrap-poc | 4 |
| anydesk-printer-com-impersonation-poc | 4 |
| gitea-act-runner-container-options-poc | 4 |
| 7zip-rar5-motw-chain-poc | 3 |
| flowise-mcp-env-case-bypass-poc | 3 |
| floci-apigateway-vtl-rce-poc | 3 |
| libssh2-cve-2026-55200-poc | 3 |
| vlc-vp9-reschange-crash-poc | 3 |
| Total | 109 |
Repository Structure
Exploitarium-Detections/
├── 7zip/ # MOTW bypass x3 (rules 02, 27, 28)
├── anydesk/ # COM hijack DLL, named pipe, PE fingerprint recon (rules 06, 17, 36)
├── c-ares/ # TCP UAF NDR sequence, linkage recon, DNS failure spike (rules 07, 08, 41)
├── curl/ # SMTP CRLF injection attempt + PoC artifact (rules 45, 46)
├── docker/ # Privileged container host mount shell spawn (rule 38)
├── exploitarium-generic/ # calc.exe PoC generic, multi-CVE sweep (rules 22, 44)
├── ffmpeg/ # (reserved)
├── firefox/ # SmartWindow silent enablement (rule 09)
├── flowise/ # Unauthorized API access (rule 37)
├── ghidra/ # Headless analyzer suspicious script execution (rule 40)
├── imagemagick/ # Policy bypass delegate execution (rule 39)
├── libarchive/ # ZIP debuginfod size boundary bypass x2 (rules 51, 52)
├── libssh2/ # Pre-auth RCE, DoS x2, scaffold x2, heap corruption, recon (rules 01, 12, 13, 24, 25, 26, 35)
├── lunar-client/ # Electron IPC preload, Modrinth gameDirectory abuse (rules 15, 16)
├── mybb/ # ACP privilege escalation x2 (rules 05, 21)
├── nextjs/ # unstable_cache PoC execution, cache object collision (rules 49, 50)
├── nmap/ # IPv6 ExtLen wrap PoC (rule 18)
├── nodebb/ # ActivityPub UID spoof x2 (rules 47, 48)
├── openvpn/ # PAC injection, echo script ACE, DHCP option injection (rules 14, 42, CVE-2026-45115)
├── php/ # SOAP RCE, ASLR bypass (rules 10, 11)
├── pillow/ # ImageCms OOB write PoC execution + crash detection (rules 53, 54, 55)
├── rustdesk/ # Session bypass x4 (rules 03, 19, 23, 33, 34)
├── splunk/ # splunkd child process, reverse shell, REST API, PoC artifact (rules 20, 31, 32, 43)
└── vlc/ # VP9 crash/child spawn, WER report, VP9 decode child (rules 04, 29, 30)
Coverage by Product
| Product | Rules | CVEs |
|---|---|---|
| libssh2 | 7 | CVE-2026-55200, CVE-2026-55199 |
| Splunk | 4 | CVE-2026-20253 |
| RustDesk | 4 | CVE-2026-46331 |
| 7-Zip | 3 | CVE-2026-45115 |
| VLC | 3 | CVE-2026-20896 |
| AnyDesk | 3 | — |
| OpenVPN Connect | 3 | CVE-2026-45115 |
| c-ares | 3 | — |
| curl | 2 | — |
| libarchive | 2 | — |
| MyBB | 2 | — |
| PHP | 2 | — |
| Lunar Client | 2 | — |
| Next.js | 2 | — |
| NodeBB | 2 | — |
| Pillow | 2 | — |
| Exploitarium Generic | 2 | — |
| Docker | 1 | — |
| Firefox | 1 | — |
| Flowise | 1 | — |
| Ghidra | 1 | — |
| ImageMagick | 1 | — |
| Nmap | 1 | — |
CVE Coverage
| CVE | CVSS | Affected | Rules |
|---|---|---|---|
| CVE-2026-55200 | 9.2 | libssh2 ≤1.11.1 (transitive: curl, Git, PHP) | 5 |
| CVE-2026-55199 | — | libssh2 DoS via key exchange CPU spin | 2 |
| CVE-2026-20253 | — | Splunk splunkd RCE | 4 |
| CVE-2026-46331 | — | RustDesk session permission bypass | 4 |
| CVE-2026-45115 | — | 7-Zip MOTW bypass + OpenVPN ACE | 4 |
| CVE-2026-20896 | — | VLC VP9 heap corruption | 3 |
Platform Coverage
| Platform | Rules |
|---|---|
| Windows | 38 |
| Linux | 25 |
| macOS | 6 |
| Container/Runtime | 3 |
| Network (NDR/CSL) | 1 |
| SaaS | 1 |
Priority Rules — Action First
libssh2/cve-2026-55200-pre-auth-rce-child-process.kql— CVSS 9.2, active exploitationlibssh2/libssh2-linkage-recon-ldd-readelf-strings.kql— catch pre-exploitation reconlibssh2/cve-2026-55200-libpwn-harness-binaries-endpoint.kql— harness binaries on diskexploitarium-generic/multi-cve-exploitarium-sweep-simultaneous-poc.kql— broadest sweepsplunk/cve-2026-20253-splunkd-unexpected-child-process.kql— high-value enterprise targetrustdesk/rustdesk-session-permission-bypass-comprehensive.kql— full multi-branch coveragecurl/curl-smtp-expn-crlf-injection-attempt.kql— relevant for any mail-sending SaaS using libcurl
Rule Index
| # | Folder | File | CVE |
|---|---|---|---|
| 01 | libssh2 | cve-2026-55200-pre-auth-rce-child-process.kql | CVE-2026-55200 |
| 02 | 7zip | 7zip-rar5-motw-bypass-extracted-exe-launch.kql | CVE-2026-45115 |
| 03 | rustdesk | rustdesk-session-permission-bypass-comprehensive.kql | CVE-2026-46331 |
| 04 | vlc | vlc-vp9-resolution-change-crash-child-spawn.kql | CVE-2026-20896 |
| 05 | mybb | mybb-acp-privesc-limited-admin-template-plugin.kql | — |
| 06 | anydesk | anydesk-printer-com-hijack-dll-load.kql | — |
| 07 | c-ares | c-ares-tcp-uaf-dns-formerr-rst-ndr.kql | — |
| 08 | c-ares | c-ares-linkage-discovery-ldd-readelf-recon.kql | — |
| 09 | firefox | firefox-smartwindow-silent-enable-attacker-endpoint.kql | — |
| 10 | php | php-857-soap-rce-heap-spray.kql | — |
| 11 | php | php-aslr-defeat-proc-self-maps-mem.kql | — |
| 12 | libssh2 | cve-2026-55200-malicious-ssh-scaffold-cipher-negotiation.kql | CVE-2026-55200 |
| 13 | libssh2 | cve-2026-55200-libpwn-scaffold-execution.kql | CVE-2026-55200 |
| 14 | openvpn | openvpn-pac-autoconfigurl-injection.kql | — |
| 15 | lunar-client | lunar-client-electron-preload-ipc-privesc.kql | — |
| 16 | lunar-client | lunar-client-modrinth-ipc-gamedirectory-abuse.kql | — |
| 17 | anydesk | anydesk-976-pe-fingerprint-recon.kql | — |
| 18 | nmap | nmap-ipv6-extlen-wrap-poc-compilation-execution.kql | — |
| 19 | rustdesk | rustdesk-anomalous-relay-connection-ports.kql | CVE-2026-46331 |
| 20 | splunk | cve-2026-20253-splunkd-unexpected-child-process.kql | CVE-2026-20253 |
| 21 | mybb | mybb-limited-acp-accessing-superadmin-functions.kql | — |
| 22 | exploitarium-generic | exploitarium-poc-calc-spawned-by-anomalous-parent.kql | — |
| 23 | rustdesk | rustdesk-session-permission-bypass-comprehensive.kql | CVE-2026-46331 |
| 24 | libssh2 | libssh2-linkage-recon-ldd-readelf-strings.kql | CVE-2026-55200 |
| 25 | libssh2 | cve-2026-55199-libssh2-dos-cpu-spin.kql | CVE-2026-55199 |
| 26 | libssh2 | libssh2-publickey-heap-corruption-poc.kql | CVE-2026-55200 |
| 27 | 7zip | cve-2026-45115-7zip-motw-archive-extraction-temp-execution.kql | CVE-2026-45115 |
| 28 | 7zip | cve-2026-45115-7zip-rar5-motw-zone-identifier-absent.kql | CVE-2026-45115 |
| 29 | vlc | cve-2026-20896-vlc-vp9-crash-dump-wer-report.kql | CVE-2026-20896 |
| 30 | vlc | cve-2026-20896-vlc-suspicious-child-process-vp9-decode.kql | CVE-2026-20896 |
| 31 | splunk | cve-2026-20253-splunk-rce-reverse-shell-indicators.kql | CVE-2026-20253 |
| 32 | splunk | cve-2026-20253-splunk-malicious-search-command-rest-api.kql | CVE-2026-20253 |
| 33 | rustdesk | cve-2026-46331-rustdesk-unauthenticated-relay-forged-token.kql | CVE-2026-46331 |
| 34 | rustdesk | cve-2026-46331-rustdesk-relay-server-impersonation-nonstandard-port.kql | CVE-2026-46331 |
| 35 | libssh2 | cve-2026-55199-libssh2-dos-malformed-kex-init-flood.kql | CVE-2026-55199 |
| 36 | anydesk | anydesk-com-printer-pipe-named-pipe-creation.kql | — |
| 37 | flowise | flowise-ai-server-unauthorized-api-access-prompt-injection.kql | — |
| 38 | docker | docker-container-escape-privileged-host-mount-shell.kql | — |
| 39 | imagemagick | imagemagick-policy-bypass-delegate-execution.kql | — |
| 40 | ghidra | ghidra-headless-analyzer-suspicious-script-execution.kql | — |
| 41 | c-ares | c-ares-tcp-uaf-dns-resolution-failure-spike.kql | — |
| 42 | openvpn | openvpn-dhcp-option-injection-autoconfigurl-registry.kql | — |
| 43 | splunk | cve-2026-20253-splunk-exploit-poc-script-artifact.kql | CVE-2026-20253 |
| 44 | exploitarium-generic | multi-cve-exploitarium-sweep-simultaneous-poc.kql | All 6 CVEs |
| 45 | curl | curl-smtp-expn-crlf-injection-attempt.kql | — |
| 46 | curl | curl-smtp-expn-crlf-poc-artifact-detection.kql | — |
| 47 | nodebb | nodebb-activitypub-uid-spoof-poc-execution.kql | — |
| 48 | nodebb | nodebb-activitypub-attributedto-uid-spoof-outbound-actor-fetch.kql | — |
| 49 | nextjs | nextjs-unstable-cache-poc-execution.kql | — |
| 50 | nextjs | nextjs-unstable-cache-object-argument-collision-cache-poisoning.kql | — |
| 51 | libarchive | libarchive-zip-debuginfod-size-boundary-poc-execution.kql | — |
| 52 | libarchive | libarchive-debuginfod-zip-size-boundary-bypass-poc.kql | — |
| 53 | pillow | pillow-imagecms-oob-write-poc-execution.kql | — |
| 54 | pillow | pillow-imagecms-oob-write-crash-detection.kql | — |
Usage
Each .kql file contains the full rule body plus a metadata header (severity, platforms,
MITRE IDs, CVEs, detections.ai link). Import directly into Sentinel as a scheduled query
rule or Defender XDR as a custom detection.
Rules are also available in Splunk SPL, Elastic, Chronicle, and other stacks via the detections.ai language translation feature.
Author
Ethan Andrews Trusted Contributor — detections.ai
Comments