CVE-2026-33634 Google Chronicle · YARA-L

Detect Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634) in Google Chronicle

CVE-2026-33634 describes an embedded malicious code vulnerability (CWE-506) in Aquasecurity Trivy, a widely-used open-source vulnerability scanner. A compromised or trojanized Trivy binary may execute attacker-controlled code during container image scanning, CI/CD pipeline runs, or Kubernetes admission checks. Because Trivy is frequently granted elevated permissions to access container registries, Kubernetes API servers, and cloud credential chains, a backdoored instance poses critical supply-chain risk: exfiltration of secrets, lateral movement into CI/CD infrastructure, and persistent implant installation. This detection monitors for anomalous process behavior, unexpected network egress, and suspicious file activity originating from Trivy processes.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Exfiltration

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule trivy_malicious_code_cve_2026_33634 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects anomalous behavior from Trivy processes indicative of CVE-2026-33634 embedded malicious code"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/advisories/GHSA-69fq-xp46-6x23"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
        OR re.regex($e.target.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
      )
      AND (
        re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
        AND re.regex($e.target.process.file.full_path, `(?i)(curl|wget|nc|ncat|python3?|perl|ruby)$`)
      )
    )
    OR
    (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      AND re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
      AND NOT (
        ($e.target.port = 443 OR $e.target.port = 80)
        AND re.regex($e.target.hostname, `(?i)(aquasecurity|ghcr\.io|github\.com|api\.github\.com)$`)
      )
    )
    OR
    (
      $e.metadata.event_type = "FILE_CREATION"
      AND re.regex($e.principal.process.file.full_path, `(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$`)
      AND re.regex($e.target.file.full_path, `(?i)^(/tmp/|/var/tmp/|/dev/shm/)`)
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting Trivy process tree anomalies — suspicious child spawning, unauthorized network egress, and temp-path file writes — consistent with CVE-2026-33634 malicious code execution.

Data Sources

Google Chronicle SIEMChronicle Endpoint TelemetryChronicle UDM Events

Required Tables

UDM Events (PROCESS_LAUNCH, NETWORK_CONNECTION, FILE_CREATION)

False Positives & Tuning

  • Trivy vulnerability database fetch to a private mirror not covered by the hostname allowlist
  • Trivy scan result pipelines that write JSON output to /tmp before shipping to a collector
  • CI systems where trivy runs inside a container and child processes are part of the scan wrapper
  • Legitimate security automation that wraps trivy output with python or bash post-processors

Other platforms for CVE-2026-33634

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Trivy Binary Hash Verification Failure Simulation

    Expected signal: ProcessRollup or DeviceProcessEvents event for /tmp/trivy-test with a SHA-256 hash differing from the official trivy binary hash; file creation event for /tmp/trivy-test.

  2. Test 2Trivy Spawning Reverse Shell Child Process

    Expected signal: ProcessRollup event showing trivy (or trivy-named process) as parent of nc/netcat; NetworkConnect event for local port 14444.

  3. Test 3Trivy Unexpected Outbound Network Connection

    Expected signal: NetworkConnect event from a process named 'trivy' (via exec -a) to 169.254.169.254 port 80; DnsRequest or direct IP connection telemetry.

  4. Test 4Trivy Writing Dropper to Temp Directory

    Expected signal: FileCreate event showing a trivy-named process writing an executable file to /dev/shm/; file hash and permissions captured in endpoint telemetry.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-33634 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0010Exfiltration

Related Techniques

T1195.002Compromise Software Supply ChainT1059.004Unix ShellT1048Exfiltration Over Alternative Protocol

Same Tactic: Initial Access

Popular Detections