explaingit

ethan-andrews/exploitarium-detections

Analysis updated 2026-05-18

37Audience · ops devopsComplexity · 3/5Setup · moderate

TLDR

54 KQL detection rules for Microsoft Sentinel and Defender XDR covering exploitation attempts from the exploitarium anonymous vulnerability disclosure, spanning 23 products including libssh2, Splunk, and RustDesk.

Mindmap

mindmap
  root((Exploitarium-Detections))
    What it is
      54 KQL detection rules
      Microsoft Sentinel
      Defender XDR
    Coverage
      libssh2 7 rules
      Splunk 4 rules
      RustDesk 4 rules
      23 products total
    Priority CVEs
      CVE-2026-55200 CVSS 9.2
      Actively exploited
    Platforms
      Windows 38 rules
      Linux 25 rules
      macOS 6 rules
    Audience
      Security operations
      Threat hunters
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Deploy KQL rules in Microsoft Sentinel to alert on CVE-2026-55200 libssh2 exploitation before patching is complete across your fleet.

USE CASE 2

Hunt retroactively for exploitarium-related activity across endpoints using the product-specific KQL queries for Splunk, RustDesk, or VLC.

USE CASE 3

Add detection coverage for 23 vulnerable products to a Defender XDR environment without writing KQL rules from scratch.

What is it built with?

KQLMicrosoft SentinelDefender XDR

How does it compare?

ethan-andrews/exploitarium-detectionshotakus/opencode-visual-cachejavlonbek1233/greenroom
Stars373737
LanguageTypeScriptTypeScript
Setup difficultymoderateeasyeasy
Complexity3/52/51/5
Audienceops devopsdevelopervibe coder

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires an active Microsoft Sentinel or Defender XDR workspace with relevant data connectors enabled for the products being monitored.

No license is stated in this repository.

In plain English

This repository contains 54 detection rules written in KQL, the query language used by Microsoft Sentinel and Defender XDR, designed to catch exploitation attempts related to a batch of security research released anonymously in June 2026. The anonymous researcher, known as "bikini," published a repository called exploitarium containing proof-of-concept attack code for 15 or more distinct targets across products like libssh2, Splunk, RustDesk, VLC, AnyDesk, and OpenVPN. The disclosures were made without notifying the affected vendors in advance. The most critical rule in this set covers CVE-2026-55200, a pre-authentication heap corruption bug in libssh2 with a CVSS score of 9.2 that has seen active exploitation. Because libssh2 is used as a dependency by curl, Git, and PHP, many systems are indirectly exposed. The author lists this rule as the top priority to deploy first. Each product gets its own folder. The rules detect patterns like unexpected child processes spawned from vulnerable software, reconnaissance commands (such as checking what library version is installed), suspicious network connections, and exploit-kit artifacts left on disk. Platform coverage spans Windows (38 rules), Linux (25 rules), macOS (6 rules), and containers. This is a defensive security resource for security operations teams running Microsoft Sentinel or Defender XDR. It contains detection queries, not exploit code. The rules catch when exploit code from the exploitarium disclosure is being used against a target system. A priority list in the README guides which rules to deploy first based on risk and exploitation activity observed in the wild.

Copy-paste prompts

Prompt 1
I want to import the libssh2 KQL rules from this repo into Microsoft Sentinel as analytic rules. Walk me through creating the rules and what data connectors I need.
Prompt 2
Show me the top priority rules from this repo in order of risk, explain what each one detects, and list which Sentinel tables they query.
Prompt 3
I want to hunt for exploitarium-related activity in Defender XDR over the past 30 days. Which rules are most likely to surface retroactive evidence?
Prompt 4
Explain what the exploitarium-generic multi-cve sweep rule detects and how to tune it to reduce false positives where calc.exe is legitimately spawned.
Prompt 5
My environment uses curl and Git which both depend on libssh2. Which KQL rules from this repo should I prioritize and what data sources do they require?

Frequently asked questions

What is exploitarium-detections?

54 KQL detection rules for Microsoft Sentinel and Defender XDR covering exploitation attempts from the exploitarium anonymous vulnerability disclosure, spanning 23 products including libssh2, Splunk, and RustDesk.

What license does exploitarium-detections use?

No license is stated in this repository.

How hard is exploitarium-detections to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is exploitarium-detections for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub ethan-andrews on gitmyhub

Verify against the repo before relying on details.