rule bulwark_https_bulwarkblack_com_ivanti_patches_two_critical_epmm_zero_day_vulnerabilities_under_a
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/ivanti-patches-two-critical-epmm-zero-day-vulnerabilities-under-active-exploitation/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:32:11Z"
        tlp = "TLP:CLEAR"
        indicator_count = "5"
    strings:
        $s0 = "help.ivanti.com" ascii wide nocase  // Domains
        $s1 = "https://help.ivanti.com/mi/help/en_us/core/11.x/gsg/CoreGettingStarted/Configuring_LDAP_servers.htm" ascii wide nocase  // URLs
        $s2 = "12.5.1.0" ascii wide nocase  // IPv4
        $s3 = "12.6.1.0" ascii wide nocase  // IPv4
        $s4 = "12.8.0.0" ascii wide nocase  // IPv4
    condition:
        any of ($s*)
}
