# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-6973
#   Vendor / Product Ivanti / Endpoint Manager Mobile (EPMM)
#   CISA KEV ....... added 2026-05-07, federal remediation due 2026-05-10
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-6973
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: Ivanti EPMM Web Service Spawning Shell (CVE-2026-6973)
id: 4f2e4a84-4634-5832-883e-8859bb822ee6
status: experimental
description: |
    Detects the Ivanti Endpoint Manager Mobile (EPMM) application server spawning a shell — the post-exploitation signature of the improper-input-validation RCE.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-6973
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059.004
    - cve.2026.6973
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|contains:
            - 'tomcat'
            - 'mifs'
            - 'java'
    selection_child:
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/python'
            - '/perl'
            - '/nc'
    condition: selection_parent and selection_child
    fields:
        - CommandLine
        - ParentCommandLine
falsepositives:
    - Legitimate EPMM maintenance jobs (baseline before enabling).
level: critical
