CVE-2026-10520 Google Chronicle · YARA-L

Detect Ivanti Sentry OS Command Injection Exploitation (CVE-2026-10520) in Google Chronicle

Detects exploitation attempts targeting CVE-2026-10520, an OS command injection vulnerability (CWE-78) in Ivanti Sentry. This vulnerability is actively exploited in the wild (CISA KEV) and allows unauthenticated or authenticated attackers to inject operating system commands through Ivanti Sentry's administrative or API interfaces, potentially leading to full system compromise. Ivanti Sentry acts as a gateway for enterprise mobile device management, making it a high-value target for threat actors seeking persistent access to corporate infrastructure.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_10520_ivanti_sentry_cmd_injection {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects OS command injection exploitation of Ivanti Sentry CVE-2026-10520"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2026-10520"
    mitre_attack_tactic = "Initial Access, Execution"
    mitre_attack_technique = "T1190, T1059.004"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(java|tomcat|catalina)/
    $proc.target.process.file.full_path = /(?i)\/(sh|bash|dash|python[23]?|perl|wget|curl|nc|ncat|netcat|chmod|mkfifo|id|whoami|uname)$/
    (
      $proc.target.process.command_line = /[;&|`]|\$\(|>\/tmp/ or
      $proc.target.process.file.full_path = /(?i)\/(nc|ncat|netcat|mkfifo)$/
    )
    $proc.principal.asset.hostname = $host

  match:
    $host over 5m

  outcome:
    $risk_score = max(if(
      $proc.target.process.file.full_path = /(?i)\/(nc|ncat|netcat|mkfifo)$/, 95,
      if($proc.target.process.command_line = /https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/, 85, 70)
    ))
    $target_process = array_distinct($proc.target.process.command_line)
    $parent_process = array_distinct($proc.principal.process.file.full_path)

  condition:
    $proc
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting OS command injection exploitation of Ivanti Sentry by matching process launch events where Java/Tomcat spawns suspicious shell or utility processes with injection-characteristic command arguments.

Data Sources

Google Chronicle SIEMChronicle UDM EventsEndpoint telemetry via Chronicle agents

Required Tables

UDM PROCESS_LAUNCH events

False Positives & Tuning

  • Authorized Ivanti Sentry management tools executing OS diagnostics via Java runtime
  • Scheduled maintenance tasks invoking shell commands through Tomcat service account
  • MDM enrollment processes triggering legitimate wget/curl calls from Sentry middleware
  • Security scanning platforms performing authenticated OS-level checks against Sentry appliances

Other platforms for CVE-2026-10520

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ivanti Sentry CVE-2026-10520 Basic Command Injection Simulation

    Expected signal: EDR should record process creation event: parent=java, child=bash with arguments '-c' and 'id; whoami; uname -a; cat /etc/passwd | head -3'. Auditd should record EXECVE syscall with ppid matching java process PID. Network telemetry: no outbound connections expected in this basic test.

  2. Test 2Ivanti Sentry Reverse Shell Simulation via Java Parent

    Expected signal: Process chain: java -> bash (args: -c, 'echo ... | nc 127.0.0.1 9999') -> nc (args: 127.0.0.1, 9999). Network connection event: nc connecting to 127.0.0.1:9999. Auditd EXECVE syscalls for bash and nc with ppid chain traceable to java.

  3. Test 3Ivanti Sentry Web Shell Drop Simulation

    Expected signal: File creation event: /tmp/sim_sentry_webapps/cmd_sim_marker.jsp created by initiating process java (sentry_webshell_sim). Process creation event: java spawning bash to list directory contents. EDR file monitoring should record .jsp creation in simulated webapps directory with java as initiating process.

  4. Test 4Ivanti Sentry Credential Staging Simulation

    Expected signal: Process chain: java -> bash (multiple invocations with file read and base64 encoding commands). File access events: reads of simulated credential files. File creation event: /tmp/exfil_stage.b64 created by bash initiating from java parent. Auditd EXECVE records for bash invocations with ppid traceable to java.

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-10520 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1505.003Web ShellT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections