Detect Microsoft Windows Information Disclosure (CVE-2026-20805) in Google Chronicle
Detects exploitation of CVE-2026-20805, a Microsoft Windows information disclosure vulnerability (CWE-200) that allows attackers to access sensitive memory or kernel data. This vulnerability is actively exploited in the wild (CISA KEV). Successful exploitation may expose credentials, memory contents, or system information that enables privilege escalation or lateral movement.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_20805_windows_info_disclosure {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2026-20805 Windows information disclosure exploitation patterns"
severity = "HIGH"
yara_version = "YL2.0"
rule_version = "1.0"
reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-20805"
cve = "CVE-2026-20805"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.principal.hostname = $hostname
$process.principal.user.userid = $user
(
re.regex($process.target.process.command_line, `(?i)(NtQuerySystemInformation|ZwQuerySystemInformation|ReadProcessMemory|VirtualQueryEx)`) or
$process.target.process.file.full_path = /(?i)(lsass\.exe|ntds\.dit)$/
)
$process.principal.process.integrity_level_rid < 8192
$file_event.metadata.event_type = "FILE_OPEN"
$file_event.principal.hostname = $hostname
$file_event.principal.user.userid = $user
(
re.regex($file_event.target.file.full_path, `(?i)(\\SAM|\\SECURITY|ntds\.dit|lsass)`) or
re.regex($file_event.target.file.full_path, `(?i)\\System32\\config\\`)
)
match:
$hostname, $user over 10m
outcome:
$risk_score = max(
if($process.principal.process.integrity_level_rid < 4096, 75, 50) +
if(re.regex($process.target.process.command_line, `(?i)(NtQuerySystemInformation|ZwQuerySystemInformation)`), 25, 0)
)
condition:
$process and $file_event
}Chronicle YARA-L 2.0 rule correlating low-integrity process API calls (NtQuerySystemInformation family) with subsequent sensitive file access events within a 10-minute window on the same host and user context, indicative of CVE-2026-20805 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate security monitoring tools operating at reduced integrity for sandboxing purposes
- Authorized penetration testing generating correlated process and file access patterns
- Software installers or updaters that read system configuration during setup sequences
- Enterprise management agents performing system inventory with delegated access rights
Other platforms for CVE-2026-20805
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NtQuerySystemInformation via PowerShell P/Invoke
Expected signal: Sysmon Event ID 1 (Process Create) for powershell.exe; Windows Event ID 4688 if process command line auditing is enabled; EDR process telemetry capturing the PowerShell invocation with P/Invoke patterns.
- Test 2LSASS Handle Open with VM_READ Access
Expected signal: Sysmon Event ID 10 (ProcessAccess) with TargetImage=lsass.exe, GrantedAccess=0x0010 (PROCESS_VM_READ), SourceImage=powershell.exe; Windows Security Event ID 4656 for handle request to LSASS process object.
- Test 3Sensitive Registry Hive Access from Low Integrity Context
Expected signal: Windows Security Event ID 4663 with ObjectName containing SECURITY hive path; Sysmon Event ID 1 for process creation with low integrity level token; Event ID 4656 for registry key open with sensitive access mask.
Unlock Pro Content
Get the full detection package for CVE-2026-20805 including response playbook, investigation guide, and atomic red team tests.