import "hash"

rule bulwark_https_bulwarkblack_com_ivanti_epmm_zero_days_actively_exploited_pre_auth_rce_via_bash_ar
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/ivanti-epmm-zero-days-actively-exploited-pre-auth-rce-via-bash-arithmetic-expansion/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:32:11Z"
        tlp = "TLP:CLEAR"
        indicator_count = "5"
    strings:
        $s0 = "forums.ivanti.com" ascii wide nocase  // Domains
        $s1 = "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US" ascii wide nocase  // URLs
        $s2 = "12.7.0.0" ascii wide nocase  // IPv4
        $s3 = "12.8.0.0" ascii wide nocase  // IPv4
    condition:
        any of ($s*) or
        hash.sha256(0, filesize) == "123aabf796106cfb2ab40cbbd43ba5b44fd937f1a5856e0a95640ba6f9d71843"
}
