Detect Ivanti Sentry OS Command Injection Exploitation (CVE-2026-10520) in Splunk
Detects exploitation attempts targeting CVE-2026-10520, an OS command injection vulnerability (CWE-78) in Ivanti Sentry. This vulnerability is actively exploited in the wild (CISA KEV) and allows unauthenticated or authenticated attackers to inject operating system commands through Ivanti Sentry's administrative or API interfaces, potentially leading to full system compromise. Ivanti Sentry acts as a gateway for enterprise mobile device management, making it a high-value target for threat actors seeking persistent access to corporate infrastructure.
MITRE ATT&CK
SPL Detection Query
index=endpoint OR index=network sourcetype IN ("xmlwineventlog", "linux_secure", "syslog", "auditd")
| eval is_sentry_parent=if(match(lower(parent_process_name), "java|tomcat|catalina|sentry"), 1, 0)
| eval is_shell_spawn=if(match(lower(process_name), "^(sh|bash|dash|zsh|ksh|csh|python[23]?|perl|ruby|nc|ncat|netcat|wget|curl|chmod|mkfifo|id|whoami|uname)$"), 1, 0)
| eval has_injection_pattern=if(match(process_cmdline, "[;&|`]|\$\(|>/|wget |curl |chmod [0-7]{3,4}|bash -[ci]|sh -[ci]|python.*-c|perl.*-e"), 1, 0)
| where is_sentry_parent=1 AND is_shell_spawn=1
| eval risk_tier=case(
match(lower(process_name), "nc|ncat|netcat|mkfifo"), "critical",
match(lower(process_cmdline), "(http|https)://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}") AND match(lower(process_name), "wget|curl"), "high",
has_injection_pattern=1, "high",
match(lower(process_name), "id|whoami|uname"), "medium",
true(), "low"
)
| where risk_tier IN ("critical", "high", "medium")
| table _time, host, user, parent_process_name, parent_process_cmdline, process_name, process_cmdline, risk_tier
| sort -_timeDetects child process execution chains originating from Java/Tomcat/Sentry parent processes that exhibit command injection indicators. Correlates process lineage with known OS injection payloads to surface CVE-2026-10520 exploitation attempts on Linux-based Ivanti Sentry appliances.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate system administration via cron jobs that invoke shell commands through Java-based schedulers
- Ivanti Sentry diagnostic tools executing OS commands for telemetry collection
- Patch management agents spawning shell processes under Tomcat context during update cycles
- Security agent processes (CrowdStrike Falcon, Carbon Black) executing remediation actions
Other platforms for CVE-2026-10520
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ivanti Sentry CVE-2026-10520 Basic Command Injection Simulation
Expected signal: EDR should record process creation event: parent=java, child=bash with arguments '-c' and 'id; whoami; uname -a; cat /etc/passwd | head -3'. Auditd should record EXECVE syscall with ppid matching java process PID. Network telemetry: no outbound connections expected in this basic test.
- Test 2Ivanti Sentry Reverse Shell Simulation via Java Parent
Expected signal: Process chain: java -> bash (args: -c, 'echo ... | nc 127.0.0.1 9999') -> nc (args: 127.0.0.1, 9999). Network connection event: nc connecting to 127.0.0.1:9999. Auditd EXECVE syscalls for bash and nc with ppid chain traceable to java.
- Test 3Ivanti Sentry Web Shell Drop Simulation
Expected signal: File creation event: /tmp/sim_sentry_webapps/cmd_sim_marker.jsp created by initiating process java (sentry_webshell_sim). Process creation event: java spawning bash to list directory contents. EDR file monitoring should record .jsp creation in simulated webapps directory with java as initiating process.
- Test 4Ivanti Sentry Credential Staging Simulation
Expected signal: Process chain: java -> bash (multiple invocations with file read and base64 encoding commands). File access events: reads of simulated credential files. File creation event: /tmp/exfil_stage.b64 created by bash initiating from java parent. Auditd EXECVE records for bash invocations with ppid traceable to java.
References (4)
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-10520
Unlock Pro Content
Get the full detection package for CVE-2026-10520 including response playbook, investigation guide, and atomic red team tests.