This analytic rule targets the detection of exploitation attempts associated with a known authentication bypass vulnerability in CrushFTP, identified as CVE-2025-31161. Attackers exploiting this vulnerability tend to execute specific commands that can compromise the CrushFTP server. The detection mechanism leverages log data from CrushFTP, using Splunk to identify patterns indicative of such exploitation attempts. Key indicators include the execution of commands such as 'mesch.exe', 'b64exec', or 'fullinstall'. The rule entails parsing logs for command execution involving these keywords and tracking the occurrence of such commands over time, thus providing early warnings of possible unauthorized access or activities after exploitation. The setup requires forwarding CrushFTP logs to a Splunk instance, where the detection rule can be implemented and monitored for abnormal behaviors that suggest exploitation of the identified vulnerability. Special attention to potential false positives is advised, particularly in case of legitimate administrative actions that might trigger the detection criteria. The rule incorporates advanced searching capabilities to filter and analyze events accurately.