Analysis updated 2026-05-18
Deploy KQL rules in Microsoft Sentinel to alert on CVE-2026-55200 libssh2 exploitation before patching is complete across your fleet.
Hunt retroactively for exploitarium-related activity across endpoints using the product-specific KQL queries for Splunk, RustDesk, or VLC.
Add detection coverage for 23 vulnerable products to a Defender XDR environment without writing KQL rules from scratch.
| ethan-andrews/exploitarium-detections | hotakus/opencode-visual-cache | javlonbek1233/greenroom | |
|---|---|---|---|
| Stars | 37 | 37 | 37 |
| Language | — | TypeScript | TypeScript |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 2/5 | 1/5 |
| Audience | ops devops | developer | vibe coder |
Figures from each repo's GitHub metadata at analysis time.
Requires an active Microsoft Sentinel or Defender XDR workspace with relevant data connectors enabled for the products being monitored.
This repository contains 54 detection rules written in KQL, the query language used by Microsoft Sentinel and Defender XDR, designed to catch exploitation attempts related to a batch of security research released anonymously in June 2026. The anonymous researcher, known as "bikini," published a repository called exploitarium containing proof-of-concept attack code for 15 or more distinct targets across products like libssh2, Splunk, RustDesk, VLC, AnyDesk, and OpenVPN. The disclosures were made without notifying the affected vendors in advance. The most critical rule in this set covers CVE-2026-55200, a pre-authentication heap corruption bug in libssh2 with a CVSS score of 9.2 that has seen active exploitation. Because libssh2 is used as a dependency by curl, Git, and PHP, many systems are indirectly exposed. The author lists this rule as the top priority to deploy first. Each product gets its own folder. The rules detect patterns like unexpected child processes spawned from vulnerable software, reconnaissance commands (such as checking what library version is installed), suspicious network connections, and exploit-kit artifacts left on disk. Platform coverage spans Windows (38 rules), Linux (25 rules), macOS (6 rules), and containers. This is a defensive security resource for security operations teams running Microsoft Sentinel or Defender XDR. It contains detection queries, not exploit code. The rules catch when exploit code from the exploitarium disclosure is being used against a target system. A priority list in the README guides which rules to deploy first based on risk and exploitation activity observed in the wild.
54 KQL detection rules for Microsoft Sentinel and Defender XDR covering exploitation attempts from the exploitarium anonymous vulnerability disclosure, spanning 23 products including libssh2, Splunk, and RustDesk.
No license is stated in this repository.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.