CVE-2026-33646: Mise Arbitrary Code Execution via Tera Template Injection in .tool-versions

let SuspiciousToolVersionsWrite = DeviceFileEvents
| where FileName =~ ".tool-versions" or FileName endswith ".tool-versions"
| where ActionType in ("FileCreated", "FileModified")
| extend FileContent = FileContent_Base64
| where isnotempty(FileContent)
| where base64_decode_tostring(FileContent) matches regex @"\{\%|\{\{|\{#"
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, SHA256;
let MiseExecution = DeviceProcessEvents
| where FileName in~ ("mise", "mise.exe") or ProcessCommandLine has_any ("mise install", "mise trust", "mise run", "mise exec", "mise shell")
| project TimeGenerated, DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, ProcessId, SHA256;
SuspiciousToolVersionsWrite
| join kind=inner (MiseExecution) on DeviceId
| where MiseExecution_TimeGenerated between (TimeGenerated .. TimeGenerated + 5m)
| project TimeGenerated, DeviceName, AccountName, SuspiciousFile = FileName, ProcessCommandLine, FolderPath
| extend AlertDetails = strcat("Possible Tera template injection in .tool-versions executed via mise on ", DeviceName)

index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "osquery")
(EventCode=11 OR EventCode=1 OR event_type IN ("file_write", "process"))
| eval file_lower=lower(TargetFilename)
| eval proc_lower=lower(Image)
| where (match(file_lower, "\.tool-versions$") AND match(CommandLine, "\{%|\{\{|\{#"))
   OR (match(proc_lower, "(^|/)mise(\.exe)?$") AND match(CommandLine, "install|trust|run|exec|shell"))
| eval event_type=case(
    match(file_lower, "\.tool-versions$"), "tool_versions_write",
    match(proc_lower, "(^|/)mise(\.exe)?$"), "mise_execution",
    true(), "unknown")
| stats values(CommandLine) as commands, values(event_type) as event_types, count by host, user, _time
| where mvcount(event_types) > 1 OR (mvcount(event_types)==1 AND mvfind(event_types, "tool_versions_write") >= 0)
| eval risk_score=90
| table _time, host, user, commands, event_types, risk_score

sequence by host.id with maxspan=5m
  [file where event.action in ("creation", "modification") and
   file.name == ".tool-versions" and
   process.name != null and
   /* Tera template markers in parent command context */
   (process.command_line like~ "*{%*" or process.command_line like~ "*{{*")]
  [process where event.type == "start" and
   (process.name in ("mise", "mise.exe") or
    process.args_count > 0 and
    process.args in ("install", "trust", "run", "exec", "shell"))]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  "EventID",
  LOWER("TargetFilename") AS target_file,
  "CommandLine" AS command_line
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Linux Auth', 'Sysmon')
  AND (
    (LOWER("TargetFilename") LIKE '%.tool-versions'
     AND ("CommandLine" LIKE '%{%%' OR "CommandLine" LIKE '%{{%'))
    OR
    (LOWER("CommandLine") LIKE '%mise install%'
     OR LOWER("CommandLine") LIKE '%mise trust%'
     OR LOWER("CommandLine") LIKE '%mise exec%'
     OR LOWER("CommandLine") LIKE '%mise run%')
  )
  AND LOGSOURCE_STARTTIME > DATEADD(MINUTE, -60, NOW())
ORDER BY starttime DESC
LAST 3600 SECONDS

_sourceCategory=endpoint/sysmon OR _sourceCategory=endpoint/linux
| where TargetFilename matches "*.tool-versions" or ProcessName matches "*mise*"
| eval has_template = if(CommandLine matches "{%*" or CommandLine matches "{{*", 1, 0)
| eval is_mise_exec = if(ProcessName matches "*mise*" and (CommandLine matches "*install*" or CommandLine matches "*trust*" or CommandLine matches "*exec*" or CommandLine matches "*run*"), 1, 0)
| eval is_tool_versions_write = if(TargetFilename matches "*.tool-versions*" and has_template=1, 1, 0)
| stats sum(is_tool_versions_write) as template_writes, sum(is_mise_exec) as mise_execs by _sourceHost, _sourceIP, _user, _timeslice 5m
| where template_writes > 0 and mise_execs > 0
| sort by _timeslice desc
| fields _timeslice, _sourceHost, _sourceIP, _user, template_writes, mise_execs

rule mise_tera_template_code_execution {
  meta:
    author = "df00tech detection engineering"
    description = "Detects CVE-2026-33646: Tera template injection in .tool-versions processed by mise"
    severity = "CRITICAL"
    priority = "HIGH"

  events:
    $file_write.metadata.event_type = "FILE_CREATION" or $file_write.metadata.event_type = "FILE_MODIFICATION"
    $file_write.target.file.full_path = /\.tool-versions$/
    $file_write.principal.hostname = $host
    $file_write.metadata.event_timestamp.seconds = $t1

    $proc_exec.metadata.event_type = "PROCESS_LAUNCH"
    ($proc_exec.target.process.file.full_path = /\/mise$/ or
     $proc_exec.target.process.file.full_path = /\\mise\.exe$/)
    $proc_exec.principal.hostname = $host
    $proc_exec.metadata.event_timestamp.seconds = $t2

  condition:
    $file_write and $proc_exec and
    $t2 >= $t1 and
    ($t2 - $t1) <= 300
}

#event_simpleName IN ("FileWritten", "ProcessRollup2")
| $FileWritten = ($event_simpleName = "FileWritten" AND TargetFileName MATCHES "\.tool-versions$")
| $MiseExec = ($event_simpleName = "ProcessRollup2" AND (ImageFileName MATCHES "(^|/)mise$" OR ImageFileName MATCHES "(^|\\\\)mise\.exe$") AND (CommandLine MATCHES "install|trust|run|exec|shell"))
| groupby([aid, ComputerName], function=[collect(TargetFileName, limit=5), collect(CommandLine, limit=5), count($FileWritten, as=file_writes), count($MiseExec, as=mise_execs)])
| where file_writes > 0 AND mise_execs > 0
| sort(mise_execs, order=desc)
| select([ComputerName, aid, file_writes, mise_execs, TargetFileName, CommandLine])