# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-10520
#   Vendor / Product Ivanti / Sentry
#   CISA KEV ....... added 2026-06-11, federal remediation due 2026-06-14
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-10520
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: Ivanti Sentry Appliance Web Process Spawning Shell (CVE-2026-10520)
id: b290b225-5265-5e9d-86ab-0fe87dde1a45
status: experimental
description: |
    Detects the Ivanti Sentry web/application service spawning a shell interpreter — the signature of OS command injection against the appliance.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-10520
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059.004
    - cve.2026.10520
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
            - '/java'
            - '/httpd'
            - '/tomcat'
            - '/node'
    selection_child:
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/dash'
            - '/nc'
            - '/curl'
            - '/wget'
    condition: selection_parent and selection_child
    fields:
        - CommandLine
        - ParentCommandLine
falsepositives:
    - Appliance maintenance scripts run by vendor support (baseline before enabling).
level: critical
