CVE-2026-21510 Elastic Security · Elastic

Detect CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure in Elastic Security

Detects exploitation of CVE-2026-21510, a Microsoft Windows Shell protection mechanism failure (CWE-693) that allows attackers to bypass security controls enforced by the Windows Shell. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may abuse this flaw to execute unauthorized code, bypass security prompts, or escalate privileges via crafted shell interactions.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation Execution

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=30s
  [process where event.action == "start"
    and process.name in~ ("explorer.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe")
    and process.parent.name in~ ("winlogon.exe", "services.exe", "svchost.exe", "lsass.exe", "csrss.exe")]
  [process where event.action == "start"
    and process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "net.exe", "whoami.exe", "ipconfig.exe")
    and process.parent.name in~ ("explorer.exe", "cmd.exe", "powershell.exe")]
high severity medium confidence

Elastic EQL sequence detection identifying a two-stage shell bypass chain: an unexpected shell process spawned from a system-level parent, followed within 30 seconds by a discovery or execution command. This chained pattern increases confidence of active CVE-2026-21510 exploitation.

Data Sources

Elastic EndpointWinlogbeatElastic Agent

Required Tables

logs-endpoint.events.process-*winlogbeat-*

False Positives & Tuning

  • Legitimate administrative tools that launch shells from service contexts during patch cycles
  • Security software performing scheduled scans that spawn child shell processes
  • Automated system maintenance scripts triggering sequential shell commands within the detection window

Other platforms for CVE-2026-21510

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Shell Spawn from Winlogon Context

    Expected signal: Sysmon Event ID 1: cmd.exe process with ParentImage path containing winlogon.exe or SYSTEM session identifier; Windows Security Event 4688 showing cmd.exe process creation under SYSTEM account.

  2. Test 2Explorer.exe Factory Flag Instantiation

    Expected signal: Sysmon Event ID 1: explorer.exe process with CommandLine containing /factory and ParentImage of powershell.exe; corresponding network or registry activity from the new explorer instance.

  3. Test 3PowerShell Encoded Command via Shell Bypass Chain

    Expected signal: Sysmon Event ID 1: powershell.exe with -EncodedCommand in CommandLine, parent cmd.exe; Sysmon Event ID 3: any outbound connection if payload includes network activity.

  4. Test 4Shell Bypass Followed by Discovery Commands

    Expected signal: Sysmon Event IDs 1 for cmd.exe (parent: psexec/SYSTEM), then whoami.exe and ipconfig.exe as children within 30 seconds; all events share the same host identifier.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21510 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0005Defense EvasionTA0004Privilege EscalationTA0002Execution

Related Techniques

T1548Abuse Elevation Control MechanismT1059.001PowerShellT1562.001Disable or Modify Tools

Same Tactic: Defense Evasion

Popular Detections