Microsoft Windows Information Disclosure (CVE-2026-20805)

let timeWindow = 24h;
union DeviceEvents, DeviceProcessEvents
| where Timestamp > ago(timeWindow)
| where DeviceId in (
    DeviceInfo
    | where OSPlatform startswith "Windows"
    | distinct DeviceId
)
| where (ActionType in ("SensitiveFileRead", "CredentialAccess", "KernelDriverLoaded", "NtQuerySystemInformation") or
    (ProcessCommandLine has_any ("NtQuerySystemInformation", "ZwQuerySystemInformation", "ReadProcessMemory", "OpenProcess") and
     InitiatingProcessIntegrityLevel in~ ("Low", "Medium")))
| extend SuspiciousScore = case(
    InitiatingProcessIntegrityLevel =~ "Low" and ActionType == "KernelDriverLoaded", 3,
    ProcessCommandLine has_any ("NtQuerySystemInformation", "ZwQuerySystemInformation"), 2,
    ActionType == "SensitiveFileRead" and InitiatingProcessAccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE"), 2,
    1)
| where SuspiciousScore >= 2
| summarize EventCount = count(), Actions = make_set(ActionType), Processes = make_set(InitiatingProcessFileName), Score = max(SuspiciousScore) by DeviceId, DeviceName, InitiatingProcessAccountName, bin(Timestamp, 1h)
| where EventCount >= 2
| project Timestamp, DeviceName, DeviceId, AccountName = InitiatingProcessAccountName, Actions, Processes, EventCount, Score
| order by Score desc, EventCount desc

index=wineventlog OR index=sysmon sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval is_suspicious_api = if(match(CommandLine, "NtQuerySystemInformation|ZwQuerySystemInformation|ReadProcessMemory|VirtualQueryEx"), 1, 0)
| eval is_low_integrity = if(match(IntegrityLevel, "(?i)low|medium"), 1, 0)
| eval is_sensitive_access = if(EventCode IN ("4663", "4656") AND match(ObjectName, "(?i)lsass|sam|security|ntds"), 1, 0)
| eval suspicion_score = (is_suspicious_api * 2) + (is_low_integrity * 1) + (is_sensitive_access * 3)
| where suspicion_score >= 2
| eval host_time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats count AS event_count, max(suspicion_score) AS max_score, values(CommandLine) AS commands, values(EventCode) AS event_codes, values(ObjectName) AS objects BY host, User, host_time
| where event_count >= 1
| sort - max_score, - event_count
| table host_time, host, User, event_count, max_score, commands, event_codes, objects

sequence by host.name, user.name with maxspan=5m
  [process where event.type == "start"
    and (process.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe") or
         process.code_signature.trusted == false)
    and process.token.integrity_level_name in ("low", "medium")]
  [any where event.category == "process"
    and (process.args_count >= 1 and
         (
           process.args : ("*NtQuerySystemInformation*", "*ZwQuerySystemInformation*", "*ReadProcessMemory*", "*OpenProcess*") or
           winlog.event_data.CallTrace : ("*ntdll.dll*", "*kernelbase.dll*")
         ))]
  [file where event.action in ("open", "read")
    and file.path : ("*\\System32\\config\\SAM", "*\\System32\\config\\SECURITY", "*\\NTDS\\ntds.dit", "*\\lsass.exe")]

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "sourceip",
  "destinationip",
  QIDNAME(qid) AS event_name,
  "category",
  CATEGORYNAME(category) AS category_name,
  "EventID",
  "CommandLine",
  "ProcessName",
  "IntegrityLevel",
  COUNT(*) AS event_count
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    ("EventID" IN ('4663', '4656') AND
     ("ObjectName" ILIKE '%lsass%' OR "ObjectName" ILIKE '%\\SAM' OR "ObjectName" ILIKE '%\\SECURITY' OR "ObjectName" ILIKE '%ntds.dit%'))
    OR
    ("CommandLine" ILIKE '%NtQuerySystemInformation%' OR
     "CommandLine" ILIKE '%ZwQuerySystemInformation%' OR
     "CommandLine" ILIKE '%ReadProcessMemory%')
  )
  AND ("IntegrityLevel" ILIKE 'Low' OR "IntegrityLevel" ILIKE 'Medium' OR "IntegrityLevel" IS NULL)
GROUP BY event_time, log_source, username, sourceip, destinationip, event_name, category, category_name, EventID, CommandLine, ProcessName, IntegrityLevel
HAVING COUNT(*) >= 1
ORDER BY event_count DESC
LIMIT 500

_sourceCategory=windows* OR _sourceCategory=sysmon*
| parse field=_raw "EventID=*" as event_id nodrop
| parse field=_raw "CommandLine=*" as command_line nodrop
| parse field=_raw "IntegrityLevel=*" as integrity_level nodrop
| parse field=_raw "ObjectName=*" as object_name nodrop
| parse field=_raw "User=*" as user_name nodrop
| parse field=_raw "Computer=*" as computer_name nodrop
| where (event_id in ("4663", "4656") and (
    object_name matches "*lsass*" or
    object_name matches "*\\SAM" or
    object_name matches "*\\SECURITY" or
    object_name matches "*ntds.dit*"
  ))
  OR (
    command_line matches "*NtQuerySystemInformation*" or
    command_line matches "*ZwQuerySystemInformation*" or
    command_line matches "*ReadProcessMemory*"
  )
| where integrity_level in ("Low", "Medium") or integrity_level = ""
| timeslice 1h
| count as event_count by _timeslice, computer_name, user_name, event_id, command_line, object_name, integrity_level
| where event_count >= 1
| sort by event_count desc
| fields _timeslice, computer_name, user_name, event_id, command_line, object_name, integrity_level, event_count

rule cve_2026_20805_windows_info_disclosure {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-20805 Windows information disclosure exploitation patterns"
    severity = "HIGH"
    yara_version = "YL2.0"
    rule_version = "1.0"
    reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805"
    cve = "CVE-2026-20805"

  events:
    $process.metadata.event_type = "PROCESS_LAUNCH"
    $process.principal.hostname = $hostname
    $process.principal.user.userid = $user
    (
      re.regex($process.target.process.command_line, `(?i)(NtQuerySystemInformation|ZwQuerySystemInformation|ReadProcessMemory|VirtualQueryEx)`) or
      $process.target.process.file.full_path = /(?i)(lsass\.exe|ntds\.dit)$/
    )
    $process.principal.process.integrity_level_rid < 8192

    $file_event.metadata.event_type = "FILE_OPEN"
    $file_event.principal.hostname = $hostname
    $file_event.principal.user.userid = $user
    (
      re.regex($file_event.target.file.full_path, `(?i)(\\SAM|\\SECURITY|ntds\.dit|lsass)`) or
      re.regex($file_event.target.file.full_path, `(?i)\\System32\\config\\`)
    )

  match:
    $hostname, $user over 10m

  outcome:
    $risk_score = max(
      if($process.principal.process.integrity_level_rid < 4096, 75, 50) +
      if(re.regex($process.target.process.command_line, `(?i)(NtQuerySystemInformation|ZwQuerySystemInformation)`), 25, 0)
    )

  condition:
    $process and $file_event
}

#event_simpleName IN ("ProcessRollup2", "SyntheticProcessRollup2", "DnsRequest") 
| TargetProcessId != null
| (CommandLine = "*NtQuerySystemInformation*" OR CommandLine = "*ZwQuerySystemInformation*" OR CommandLine = "*ReadProcessMemory*" OR CommandLine = "*VirtualQueryEx*" OR ImageFileName = "*lsass.exe")
| IntegrityLevel IN ("LOW_INTEGRITY", "MEDIUM_INTEGRITY")
| groupBy([ComputerName, UserName, FileName, CommandLine, IntegrityLevel, ImageFileName], function=count(), as=EventCount)
| EventCount >= 1
| join kind=inner (
    #event_simpleName = "PeFileWritten"
    | (TargetFileName = "*\\SAM" OR TargetFileName = "*\\SECURITY" OR TargetFileName = "*ntds.dit" OR TargetFileName = "*lsass*")
    | groupBy([ComputerName, UserName, TargetFileName], function=count(), as=FileAccessCount)
  ) on ComputerName, UserName
| project ComputerName, UserName, FileName, CommandLine, IntegrityLevel, ImageFileName, EventCount, TargetFileName, FileAccessCount
| sort(EventCount, order=desc)