Detection rules

YARA, Suricata, Sigma and host-hunt rules pulled from the reports. Click a rule to see the full text and every post that uses it, or pull the set as JSON via the feed. We don't serve loadable rule files by design — copy and review before you deploy.

Type	Rule	Posts	Last seen
suricata	ATTACK Docker create body binds host root filesystem	1	2026-06-16
suricata	ATTACK Docker create body uses chroot for host-namespace escape	1	2026-06-16
suricata	ATTACK dockerpwn persistence script delivery in HTTP request body	1	2026-06-16
suricata	ATTACK Inbound Docker Engine API container create from external source	1	2026-06-16
suricata	ATTACK Inbound Docker Engine API exec/start from external source	1	2026-06-16
suricata	ATTACK 'Polly for Sonya' Cyrillic-language Docker pwn tooling marker	1	2026-06-16
suricata	C2 VoidLink agent binary download (fleet-agent-linux)	1	2026-06-16
suricata	C2 VoidLink agent enrolment (POST /api/agents/enroll)	1	2026-06-16
suricata	C2 VoidLink agent WebSocket channel (GET /ws/agent)	1	2026-06-16
suricata	C2 VoidLink bootstrap fetch, token-shape key (EXPERIMENTAL)	1	2026-06-16
suricata	C2 VoidLink bootstrap install script fetch	1	2026-06-16
host	daemon.json.disabled-by-dockerpwn fallback artifact	1	2026-06-16
host	docker logs audit for PWN COMPLETE / dockerpwn	1	2026-06-16
host	dockerpwn managed ssh marker in sshd_config	1	2026-06-16
yara	DockerPwn_v2_Universal_Persistence_Script	1	2026-06-16
host	Docker systemd override audit	1	2026-06-16
host	ed25519 marker key in authorized_keys	1	2026-06-16
host	LD_PRELOAD rootkit hook in the agent systemd unit	1	2026-06-16
suricata	POLICY Inbound Docker Engine API container create from internal source	1	2026-06-16
suricata	POLICY Inbound Docker Engine API exec/start from internal source	1	2026-06-16
host	/tmp/pwn.sh content signature	1	2026-06-16
yara	VoidLink_FleetAgent	1	2026-06-16
host	VoidLink on-disk footprint	1	2026-06-16