Which SIEM platforms have a CVE-2026-33634 detection rule?

df00tech provides CVE-2026-33634 (Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634) (CVE-2026-33634)?

Detecting Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel.

What severity and confidence is the CVE-2026-33634 detection?

The CVE-2026-33634 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-33634?

Common false positives for CVE-2026-33634 include: Trivy updating its vulnerability database to non-standard mirrors configured by the operator; Legitimate shell wrappers or CI scripts that invoke trivy with bash/sh as a parent; Security tooling or EDR agents spawning from trivy's process tree during scan operations.

CVE-2026-33634

Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634)

Initial Access Execution Persistence Exfiltration Last updated: June 19, 2026

CVE-2026-33634 describes an embedded malicious code vulnerability (CWE-506) in Aquasecurity Trivy, a widely-used open-source vulnerability scanner. A compromised or trojanized Trivy binary may execute attacker-controlled code during container image scanning, CI/CD pipeline runs, or Kubernetes admission checks. Because Trivy is frequently granted elevated permissions to access container registries, Kubernetes API servers, and cloud credential chains, a backdoored instance poses critical supply-chain risk: exfiltration of secrets, lateral movement into CI/CD infrastructure, and persistent implant installation. This detection monitors for anomalous process behavior, unexpected network egress, and suspicious file activity originating from Trivy processes.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2026-33634↗ NVD

Affected Software

Vendor: Aquasecurity
Product: Trivy

Weakness (CWE)

CWE-506

Timeline

Disclosed: March 26, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2026-33634 Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634)?

Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634) (CVE-2026-33634) maps to the Initial Access and Execution and Persistence and Exfiltration tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Execution Persistence Exfiltration

Microsoft Sentinel / Defender

kusto

let trivyProcesses = DeviceProcessEvents
| where FileName in~ ("trivy", "trivy-linux-amd64", "trivy-linux-arm64") or ProcessCommandLine has "trivy"
| project DeviceId, DeviceName, InitiatingProcessId, ProcessId, FileName, ProcessCommandLine, AccountName, Timestamp;
let suspiciousChildren = DeviceProcessEvents
| where InitiatingProcessFileName in~ ("trivy", "trivy-linux-amd64", "trivy-linux-arm64")
| where FileName !in~ ("trivy", "sh", "bash") or ProcessCommandLine has_any ("curl", "wget", "nc", "ncat", "python", "python3", "perl", "ruby", "bash -i", "/dev/tcp", "base64")
| project DeviceId, DeviceName, InitiatingProcessId, ProcessId, FileName, ProcessCommandLine, AccountName, Timestamp;
let suspiciousNetwork = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("trivy", "trivy-linux-amd64", "trivy-linux-arm64")
| where RemotePort !in (443, 80, 8080) or RemoteUrl !has "aquasecurity" and RemoteUrl !has "ghcr.io" and RemoteUrl !has "github.com"
| project DeviceId, DeviceName, InitiatingProcessId, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine, Timestamp;
let suspiciousFiles = DeviceFileEvents
| where InitiatingProcessFileName in~ ("trivy", "trivy-linux-amd64", "trivy-linux-arm64")
| where FolderPath has_any ("/tmp", "/var/tmp", "/dev/shm", "C:\\Windows\\Temp", "C:\\Users\\Public")
| project DeviceId, DeviceName, InitiatingProcessId, FileName, FolderPath, SHA256, Timestamp;
union suspiciousChildren, (suspiciousNetwork | extend FileName = "", ProcessCommandLine = InitiatingProcessCommandLine, AccountName = ""), (suspiciousFiles | extend ProcessCommandLine = "", AccountName = "")
| order by Timestamp desc

Detects anomalous child process spawning, unexpected external network connections, and suspicious file writes originating from Trivy processes, which may indicate a backdoored or trojanized Trivy binary (CVE-2026-33634).

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Trivy updating its vulnerability database to non-standard mirrors configured by the operator
Legitimate shell wrappers or CI scripts that invoke trivy with bash/sh as a parent
Security tooling or EDR agents spawning from trivy's process tree during scan operations
Custom Trivy plugins that perform network calls to internal artifact registries

Splunk

spl

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "linux:syslog", "crowdstrike:events:sensor")
(process_name IN ("trivy", "trivy-linux-amd64", "trivy-linux-arm64") OR parent_process_name IN ("trivy", "trivy-linux-amd64", "trivy-linux-arm64"))
| eval suspicious_child=if(parent_process_name IN ("trivy","trivy-linux-amd64","trivy-linux-arm64") AND process_name IN ("curl","wget","nc","ncat","python","python3","perl","ruby","bash","sh") AND (match(process_cmd_line, "(?i)(/dev/tcp|base64|exec|reverse|shell|implant)") OR match(process_cmd_line, "(?i)(wget|curl).*(http)")), "true", "false")
| eval suspicious_network=if(process_name IN ("trivy","trivy-linux-amd64","trivy-linux-arm64") AND NOT (dest_port IN (443, 80) AND (match(dest_host, "aquasecurity") OR match(dest_host, "ghcr\.io") OR match(dest_host, "github\.com"))), "true", "false")
| eval suspicious_file=if(process_name IN ("trivy","trivy-linux-amd64","trivy-linux-arm64") AND match(file_path, "(?i)(/tmp/|/var/tmp/|/dev/shm/|C:\\\\Windows\\\\Temp)"), "true", "false")
| where suspicious_child="true" OR suspicious_network="true" OR suspicious_file="true"
| stats count by host, user, process_name, process_cmd_line, parent_process_name, dest_host, dest_port, file_path, suspicious_child, suspicious_network, suspicious_file
| sort -count

Detects trivy processes spawning suspicious children (reverse shells, interpreters), making unexpected outbound network connections, or writing files to temp directories — indicators of trojanized Trivy (CVE-2026-33634).

critical severity high confidence

Data Sources

Splunk Enterprise Security CrowdStrike Falcon Sysmon for Linux

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux:syslog crowdstrike:events:sensor

False Positives

Trivy downloading DB updates to operator-configured non-standard mirror endpoints
CI/CD pipeline scripts wrapping trivy with bash and piping output to curl for reporting
Trivy plugins writing scan results to /tmp before forwarding to SIEM
Security scanning infrastructure where trivy runs with broad network access by design

Sumo Logic CSE

sql

_sourceCategory=endpoint/process OR _sourceCategory=endpoint/network OR _sourceCategory=crowdstrike
| where process_name in ("trivy", "trivy-linux-amd64", "trivy-linux-arm64") or parent_process_name in ("trivy", "trivy-linux-amd64", "trivy-linux-arm64")
| eval is_suspicious_child = if(parent_process_name in ("trivy","trivy-linux-amd64","trivy-linux-arm64") and process_name in ("curl","wget","nc","python","python3","perl","ruby","bash","sh") and (matches(cmd_line, "(?i).*(base64|/dev/tcp|exec.*sh|reverse|implant).*") or matches(cmd_line, "(?i).*(wget|curl).+http")), "true", "false")
| eval is_suspicious_network = if(process_name in ("trivy","trivy-linux-amd64","trivy-linux-arm64") and !((dst_port in ("443","80")) and (matches(dst_host, "(?i).*(aquasecurity|ghcr\.io|github\.com).*"))), "true", "false")
| eval is_suspicious_file = if(process_name in ("trivy","trivy-linux-amd64","trivy-linux-arm64") and matches(file_path, "(?i).*(^/tmp/|/dev/shm/|/var/tmp/).*"), "true", "false")
| where is_suspicious_child = "true" or is_suspicious_network = "true" or is_suspicious_file = "true"
| count by host, user, process_name, cmd_line, parent_process_name, dst_host, dst_port, is_suspicious_child, is_suspicious_network, is_suspicious_file
| sort by _count desc

Sumo Logic query correlating Trivy process anomalies: interpreter child spawns, egress to non-approved destinations, and temp directory writes that indicate CVE-2026-33634 embedded malicious code activation.

critical severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sumo Logic Endpoint Source CrowdStrike Falcon via Sumo

Required Tables

endpoint/process endpoint/network crowdstrike

False Positives

Trivy DB mirror configurations pointing to internal artifact servers on non-standard ports
Automated scan report pipelines using curl or wget as post-scan exporters
Custom Trivy plugins writing temp artifacts before final report generation
Dev/test environments running trivy against local registries with non-TLS connections

Google Chronicle / SecOps

yaral

rule trivy_malicious_code_cve_2026_33634 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects anomalous behavior from Trivy processes indicative of CVE-2026-33634 embedded malicious code"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/advisories/GHSA-69fq-xp46-6x23"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
        OR re.regex($e.target.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
      )
      AND (
        re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
        AND re.regex($e.target.process.file.full_path, `(?i)(curl|wget|nc|ncat|python3?|perl|ruby)$`)
      )
    )
    OR
    (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      AND re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
      AND NOT (
        ($e.target.port = 443 OR $e.target.port = 80)
        AND re.regex($e.target.hostname, `(?i)(aquasecurity|ghcr\.io|github\.com|api\.github\.com)$`)
      )
    )
    OR
    (
      $e.metadata.event_type = "FILE_CREATION"
      AND re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
      AND re.regex($e.target.file.full_path, `(?i)^(/tmp/|/var/tmp/|/dev/shm/)`)
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting Trivy process tree anomalies — suspicious child spawning, unauthorized network egress, and temp-path file writes — consistent with CVE-2026-33634 malicious code execution.

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Endpoint Telemetry Chronicle UDM Events

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION, FILE_CREATION)

False Positives

Trivy vulnerability database fetch to a private mirror not covered by the hostname allowlist
Trivy scan result pipelines that write JSON output to /tmp before shipping to a collector
CI systems where trivy runs inside a container and child processes are part of the scan wrapper
Legitimate security automation that wraps trivy output with python or bash post-processors

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN ("ProcessRollup2", "NetworkConnectIP4", "NetworkConnectIP6", "DnsRequest", "NewExecutableWritten")
| ImageFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
  OR ParentBaseFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
| eval suspicious_child = if(ParentBaseFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
    AND BaseFileName MATCHES "(?i)(curl|wget|nc|ncat|python3?|perl|ruby|bash|sh)$"
    AND (CommandLine MATCHES "(?i)(/dev/tcp|base64|exec|implant|reverse|shell)"
         OR CommandLine MATCHES "(?i)(wget|curl).+http"), "true", "false")
| eval suspicious_net = if(#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "DnsRequest")
    AND ImageFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
    AND NOT (RemotePort IN ("443", "80")
             AND DomainName MATCHES "(?i)(aquasecurity|ghcr\.io|github\.com)"), "true", "false")
| eval suspicious_file = if(#event_simpleName = "NewExecutableWritten"
    AND ImageFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
    AND TargetDirectoryName MATCHES "(?i)(/tmp|/var/tmp|/dev/shm)", "true", "false")
| where suspicious_child = "true" OR suspicious_net = "true" OR suspicious_file = "true"
| groupby [ComputerName, UserName, BaseFileName, CommandLine, ParentBaseFileName, RemoteIP, RemotePort, DomainName, suspicious_child, suspicious_net, suspicious_file]
| sort -count()

CrowdStrike Falcon CQL query detecting Trivy process anomalies across process, network, and file events — child interpreter spawns, unauthorized egress, and dropper writes to temp paths indicative of CVE-2026-33634.

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon Intelligence

Required Tables

ProcessRollup2 NetworkConnectIP4 NetworkConnectIP6 DnsRequest NewExecutableWritten

False Positives

Trivy plugin ecosystem spawning legitimate helper binaries during extended scan modes
Operator-configured vulnerability DB mirrors on non-standard ports inside private networks
Containers where trivy and curl are co-located and curl is called by the scan wrapper script
Security automation frameworks that instrument trivy output with python-based post-processors

Sigma rule & cross-platform mapping

The detection logic for Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634) (CVE-2026-33634) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-33634 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-33634

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Trivy Binary Hash Verification Failure Simulation
Expected signal: ProcessRollup or DeviceProcessEvents event for /tmp/trivy-test with a SHA-256 hash differing from the official trivy binary hash; file creation event for /tmp/trivy-test.
Test 2Trivy Spawning Reverse Shell Child Process
Expected signal: ProcessRollup event showing trivy (or trivy-named process) as parent of nc/netcat; NetworkConnect event for local port 14444.
Test 3Trivy Unexpected Outbound Network Connection
Expected signal: NetworkConnect event from a process named 'trivy' (via exec -a) to 169.254.169.254 port 80; DnsRequest or direct IP connection telemetry.
Test 4Trivy Writing Dropper to Temp Directory
Expected signal: FileCreate event showing a trivy-named process writing an executable file to /dev/shm/; file hash and permissions captured in endpoint telemetry.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-33634 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0002Execution TA0003Persistence TA0010Exfiltration

Related Techniques

T1195.002Compromise Software Supply Chain T1059.004Unix Shell T1048Exfiltration Over Alternative Protocol

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-33634 Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634)?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-33634

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox