Detect CVE-2026-21510: Microsoft Windows Shell Protection Mechanism Failure in Splunk
Detects exploitation of CVE-2026-21510, a Microsoft Windows Shell protection mechanism failure (CWE-693) that allows attackers to bypass security controls enforced by the Windows Shell. This vulnerability is actively exploited in the wild (CISA KEV). Attackers may abuse this flaw to execute unauthorized code, bypass security prompts, or escalate privileges via crafted shell interactions.
MITRE ATT&CK
SPL Detection Query
index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1
| eval ParentImage=lower(ParentImage), Image=lower(Image)
| eval ParentBasename=mvindex(split(ParentImage, "\\"), -1)
| eval ChildBasename=mvindex(split(Image, "\\"), -1)
| where (ParentBasename IN ("winlogon.exe", "services.exe", "svchost.exe", "lsass.exe", "csrss.exe") AND ChildBasename IN ("explorer.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe"))
OR (ChildBasename="explorer.exe" AND (CommandLine="*/factory*" OR CommandLine="*-Embedding*") AND ParentBasename NOT IN ("userinit.exe", "explorer.exe"))
OR (ParentBasename="explorer.exe" AND ChildBasename IN ("cmd.exe", "powershell.exe", "pwsh.exe") AND NOT ParentCommandLine IN ("*open*", "*explore*"))
| eval RiskScore=case(
ParentBasename IN ("winlogon.exe","services.exe","svchost.exe","lsass.exe","csrss.exe") AND ChildBasename IN ("explorer.exe","cmd.exe","powershell.exe"), 90,
ChildBasename="explorer.exe" AND like(CommandLine, "%/factory%"), 80,
1=1, 70
)
| table _time, host, User, ParentImage, Image, CommandLine, ParentCommandLine, ProcessId, ParentProcessId, RiskScore
| sort - RiskScore _timeSplunk query using Sysmon EventCode 1 (Process Create) to identify Windows Shell protection bypass patterns. Detects shell processes spawning from anomalous parents and suspicious explorer.exe launch arguments linked to CVE-2026-21510.
Data Sources
Required Sourcetypes
False Positives & Tuning
- SCCM or Intune management agents spawning shell processes for software deployment
- Legitimate COM activation of explorer.exe with /factory argument by registered shell extensions
- Pentest or red team activities using authorized tooling that mimics shell invocation patterns
- Automated build or CI/CD pipeline agents running on Windows hosts that invoke shell commands
Other platforms for CVE-2026-21510
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Shell Spawn from Winlogon Context
Expected signal: Sysmon Event ID 1: cmd.exe process with ParentImage path containing winlogon.exe or SYSTEM session identifier; Windows Security Event 4688 showing cmd.exe process creation under SYSTEM account.
- Test 2Explorer.exe Factory Flag Instantiation
Expected signal: Sysmon Event ID 1: explorer.exe process with CommandLine containing /factory and ParentImage of powershell.exe; corresponding network or registry activity from the new explorer instance.
- Test 3PowerShell Encoded Command via Shell Bypass Chain
Expected signal: Sysmon Event ID 1: powershell.exe with -EncodedCommand in CommandLine, parent cmd.exe; Sysmon Event ID 3: any outbound connection if payload includes network activity.
- Test 4Shell Bypass Followed by Discovery Commands
Expected signal: Sysmon Event IDs 1 for cmd.exe (parent: psexec/SYSTEM), then whoami.exe and ipconfig.exe as children within 30 seconds; all events share the same host identifier.
Unlock Pro Content
Get the full detection package for CVE-2026-21510 including response playbook, investigation guide, and atomic red team tests.