Detect Aquasecurity Trivy Embedded Malicious Code (CVE-2026-33634) in CrowdStrike LogScale
CVE-2026-33634 describes an embedded malicious code vulnerability (CWE-506) in Aquasecurity Trivy, a widely-used open-source vulnerability scanner. A compromised or trojanized Trivy binary may execute attacker-controlled code during container image scanning, CI/CD pipeline runs, or Kubernetes admission checks. Because Trivy is frequently granted elevated permissions to access container registries, Kubernetes API servers, and cloud credential chains, a backdoored instance poses critical supply-chain risk: exfiltration of secrets, lateral movement into CI/CD infrastructure, and persistent implant installation. This detection monitors for anomalous process behavior, unexpected network egress, and suspicious file activity originating from Trivy processes.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("ProcessRollup2", "NetworkConnectIP4", "NetworkConnectIP6", "DnsRequest", "NewExecutableWritten")
| ImageFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
OR ParentBaseFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
| eval suspicious_child = if(ParentBaseFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
AND BaseFileName MATCHES "(?i)(curl|wget|nc|ncat|python3?|perl|ruby|bash|sh)$"
AND (CommandLine MATCHES "(?i)(/dev/tcp|base64|exec|implant|reverse|shell)"
OR CommandLine MATCHES "(?i)(wget|curl).+http"), "true", "false")
| eval suspicious_net = if(#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "DnsRequest")
AND ImageFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
AND NOT (RemotePort IN ("443", "80")
AND DomainName MATCHES "(?i)(aquasecurity|ghcr\.io|github\.com)"), "true", "false")
| eval suspicious_file = if(#event_simpleName = "NewExecutableWritten"
AND ImageFileName MATCHES "(?i)(trivy|trivy-linux-amd64|trivy-linux-arm64)$"
AND TargetDirectoryName MATCHES "(?i)(/tmp|/var/tmp|/dev/shm)", "true", "false")
| where suspicious_child = "true" OR suspicious_net = "true" OR suspicious_file = "true"
| groupby [ComputerName, UserName, BaseFileName, CommandLine, ParentBaseFileName, RemoteIP, RemotePort, DomainName, suspicious_child, suspicious_net, suspicious_file]
| sort -count()CrowdStrike Falcon CQL query detecting Trivy process anomalies across process, network, and file events — child interpreter spawns, unauthorized egress, and dropper writes to temp paths indicative of CVE-2026-33634.
Data Sources
Required Tables
False Positives & Tuning
- Trivy plugin ecosystem spawning legitimate helper binaries during extended scan modes
- Operator-configured vulnerability DB mirrors on non-standard ports inside private networks
- Containers where trivy and curl are co-located and curl is called by the scan wrapper script
- Security automation frameworks that instrument trivy output with python-based post-processors
Other platforms for CVE-2026-33634
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Trivy Binary Hash Verification Failure Simulation
Expected signal: ProcessRollup or DeviceProcessEvents event for /tmp/trivy-test with a SHA-256 hash differing from the official trivy binary hash; file creation event for /tmp/trivy-test.
- Test 2Trivy Spawning Reverse Shell Child Process
Expected signal: ProcessRollup event showing trivy (or trivy-named process) as parent of nc/netcat; NetworkConnect event for local port 14444.
- Test 3Trivy Unexpected Outbound Network Connection
Expected signal: NetworkConnect event from a process named 'trivy' (via exec -a) to 169.254.169.254 port 80; DnsRequest or direct IP connection telemetry.
- Test 4Trivy Writing Dropper to Temp Directory
Expected signal: FileCreate event showing a trivy-named process writing an executable file to /dev/shm/; file hash and permissions captured in endpoint telemetry.
Unlock Pro Content
Get the full detection package for CVE-2026-33634 including response playbook, investigation guide, and atomic red team tests.