CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure
Detects exploitation of CVE-2026-21510, a Microsoft Windows Shell protection mechanism failure (CWE-693) that allows attackers to bypass security controls enforced by the Windows Shell. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may abuse this flaw to execute unauthorized code, bypass security prompts, or escalate privileges via crafted shell interactions.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows
Weakness (CWE)
Timeline
- Disclosed
- February 10, 2026
References & Proof of Concept
CVSS
What is CVE-2026-21510 CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure?
CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure (CVE-2026-21510) maps to the Defense Evasion and Privilege Escalation and Execution tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SuspiciousShellParents = dynamic(["winlogon.exe", "services.exe", "svchost.exe", "lsass.exe", "csrss.exe"]);
let ShellProcesses = dynamic(["explorer.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where (FileName in~ (ShellProcesses) and InitiatingProcessFileName in~ (SuspiciousShellParents))
or (FileName =~ "explorer.exe" and ProcessCommandLine has_any ("/factory", "/select", "-Embedding") and InitiatingProcessFileName !in~ ("userinit.exe", "explorer.exe"))
or (InitiatingProcessFileName =~ "explorer.exe" and FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe") and not(InitiatingProcessCommandLine has_any ("open", "explore")))
| extend RiskScore = case(
InitiatingProcessFileName in~ (SuspiciousShellParents) and FileName in~ (ShellProcesses), 90,
FileName =~ "explorer.exe" and ProcessCommandLine has "/factory", 80,
70
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, ProcessId, RiskScore, ReportId
| order by RiskScore desc, TimeGenerated descDetects suspicious Windows Shell (explorer.exe, cmd.exe, powershell.exe) spawning patterns indicative of protection mechanism bypass. Flags shell processes launched from unexpected system parents and unusual explorer.exe invocations associated with CVE-2026-21510 exploitation.
Data Sources
Required Tables
False Positives
- Legitimate software installers that spawn shell processes from service contexts
- Remote management tools (e.g., SCCM, Intune) executing shell commands via svchost.exe
- System administrative scripts invoked during patch deployment or automation workflows
- COM-based application launch via /factory flag for legitimate shell extensions
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure (CVE-2026-21510) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-21510
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Shell Spawn from Winlogon Context
Expected signal: Sysmon Event ID 1: cmd.exe process with ParentImage path containing winlogon.exe or SYSTEM session identifier; Windows Security Event 4688 showing cmd.exe process creation under SYSTEM account.
- Test 2Explorer.exe Factory Flag Instantiation
Expected signal: Sysmon Event ID 1: explorer.exe process with CommandLine containing /factory and ParentImage of powershell.exe; corresponding network or registry activity from the new explorer instance.
- Test 3PowerShell Encoded Command via Shell Bypass Chain
Expected signal: Sysmon Event ID 1: powershell.exe with -EncodedCommand in CommandLine, parent cmd.exe; Sysmon Event ID 3: any outbound connection if payload includes network activity.
- Test 4Shell Bypass Followed by Discovery Commands
Expected signal: Sysmon Event IDs 1 for cmd.exe (parent: psexec/SYSTEM), then whoami.exe and ipconfig.exe as children within 30 seconds; all events share the same host identifier.
Unlock Pro Content
Get the full detection package for CVE-2026-21510 including response playbook, investigation guide, and atomic red team tests.