Home › Detection Pack
Detection Engineering · Verifiable

Traceable Detection Pack

Production-ready Sigma rules for vulnerabilities that are confirmed exploited in the wild by CISA. Every rule is traceable: its CVE, its KEV catalog entry with the exact date, and its vendor advisory — no black-box "threat feed."

8 Sigma rules
2 critical severity
1 ransomware-linked
100% KEV-confirmed CVEs
Why "traceable" matters: anyone can ship a rule that fires. These rules tell you exactly which authority confirmed the threat and when — paste any CVE below into the CISA KEV catalog and the metadata matches. Rules are Sigma-format (SIEM-agnostic): convert to Splunk, Elastic, Sentinel, or QRadar with sigma-cli. Detection logic targets exploitation behaviour; tune the source/CIDR filters to your environment before enabling.

Microsoft SharePoint Worker Process Spawning Command Shell

Detects the IIS SharePoint worker process (w3wp.exe) spawning a command interpreter — the post-exploitation signature of deserialization RCE against SharePoint Server.

Vendor: Microsoft · SharePoint Server CISA KEV: added 2026-07-01 · due 2026-07-04 ATT&CK: T1190, T1059

SharePoint Server Anomalous Child Process

Detects w3wp.exe hosting SharePoint spawning reconnaissance or web-shell-dropping utilities following exploitation of the SharePoint improper-input-validation vulnerability.

Vendor: Microsoft · SharePoint Server CISA KEV: added 2026-04-14 · due 2026-04-28 ATT&CK: T1190, T1505.003
HIGH 🏴 RANSOMWARE-LINKED CVE-2026-33825

Suspicious Modification of Microsoft Defender Platform Path

Detects non-SYSTEM writes into the Microsoft Defender Antimalware Platform directory, consistent with the access-control LPE (ransomware-linked in the CISA KEV catalog).

Vendor: Microsoft · Defender CISA KEV: added 2026-04-22 · due 2026-05-06 ATT&CK: T1068, T1562.001
CRITICAL CVE-2026-10520

Ivanti Sentry Appliance Web Process Spawning Shell

Detects the Ivanti Sentry web/application service spawning a shell interpreter — the signature of OS command injection against the appliance.

Vendor: Ivanti · Sentry CISA KEV: added 2026-06-11 · due 2026-06-14 ATT&CK: T1190, T1059.004
CRITICAL CVE-2026-6973

Ivanti EPMM Web Service Spawning Shell

Detects the Ivanti Endpoint Manager Mobile (EPMM) application server spawning a shell — the post-exploitation signature of the improper-input-validation RCE.

Vendor: Ivanti · Endpoint Manager Mobile (EPMM) CISA KEV: added 2026-05-07 · due 2026-05-10 ATT&CK: T1190, T1059.004

SimpleHelp Unauthenticated Access to Administrative Endpoint

Detects HTTP requests to SimpleHelp administrative/toolbox endpoints returning success without a preceding authenticated session — consistent with the authentication-bypass vulnerability.

Vendor: SimpleHelp · SimpleHelp CISA KEV: added 2026-06-29 · due 2026-07-02 ATT&CK: T1190

Splunk Enterprise Unauthenticated Access to Critical Endpoint

Detects access to Splunk management/REST endpoints from outside expected management ranges, consistent with exploitation of the missing-authentication-for-critical-function vulnerability.

Vendor: Splunk · Enterprise CISA KEV: added 2026-06-18 · due 2026-06-21 ATT&CK: T1190, T1059

Fortinet FortiClient EMS Anomalous API Access

Detects access to FortiClient EMS API/console endpoints from unexpected sources, consistent with exploitation of the improper-access-control vulnerability.

Vendor: Fortinet · FortiClient EMS CISA KEV: added 2026-04-06 · due 2026-04-09 ATT&CK: T1190

The data behind these picks

These CVEs aren't chosen by hunch. See the Exploitation Velocity Index — our reproducible analysis of which vendors and weakness classes actually dominate real-world exploitation.