Detect CVE-2026-21513 — Microsoft MSHTML Framework Protection Mechanism Failure in CrowdStrike LogScale
Detects exploitation of CVE-2026-21513, a protection mechanism failure (CWE-693) in the Microsoft MSHTML framework on Windows. This KEV-listed vulnerability allows attackers to bypass security controls implemented in MSHTML, potentially enabling code execution via crafted web content processed by Internet Explorer compatibility components, Microsoft Office documents embedding web content, or applications using the WebBrowser control. Active exploitation has been confirmed by CISA.
MITRE ATT&CK
LogScale Detection Query
event_simpleName IN ("ProcessRollup2", "NetworkConnectIP4", "ClassifiedModuleLoad")
| eval parent_lower = lower(ParentBaseFileName)
| eval image_lower = lower(ImageFileName)
| where (
(
event_simpleName = "ProcessRollup2"
AND match(parent_lower, `(winword|excel|powerpnt|outlook|mspub|msaccess|onenote)\.exe`)
AND match(image_lower, `(cmd|powershell|wscript|cscript|mshta|rundll32|regsvr32)\.exe`)
)
OR (
event_simpleName = "ClassifiedModuleLoad"
AND match(lower(TargetFileName), `(mshtml|jscript9?|vbscript|ieframe)\.dll`)
AND match(parent_lower, `(winword|excel|powerpnt|outlook|mspub|msaccess)\.exe`)
)
OR (
event_simpleName = "NetworkConnectIP4"
AND match(image_lower, `(mshta|dllhost)\.exe`)
AND NOT cidrmatch("10.0.0.0/8", RemoteAddressIP4)
AND NOT cidrmatch("172.16.0.0/12", RemoteAddressIP4)
AND NOT cidrmatch("192.168.0.0/16", RemoteAddressIP4)
)
)
| eval alert_type = case(
event_simpleName = "ProcessRollup2", "ChildProcess",
event_simpleName = "ClassifiedModuleLoad", "ModuleLoad",
event_simpleName = "NetworkConnectIP4", "NetworkCallback",
true(), "Unknown"
)
| stats count AS event_count, values(alert_type) AS alert_types, values(CommandLine) AS commands
BY aid, ComputerName, UserName, ParentBaseFileName, ImageFileName
| where event_count >= 1
| sort -event_countCrowdStrike Falcon Query Language detection for CVE-2026-21513 covering process spawning anomalies, MSHTML-family module loads in Office context, and suspicious external network connections from MSHTML processes.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike-excluded processes or Office automation tools whitelisted by policy
- Vendor Office plugins making authorized external calls for license validation
- IT operations teams running scripts via Office for fleet management tasks
- Security testing tools or red team exercises using Office-based payloads
Other platforms for CVE-2026-21513
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1MSHTML MkNode Method Invocation via mshta.exe
Expected signal: Sysmon Event ID 1 showing mshta.exe spawning cmd.exe; Sysmon Event ID 7 showing mshtml.dll and vbscript.dll loaded by mshta.exe; Process creation events in Windows Security Log (Event ID 4688)
- Test 2Office Document Spawning Scripting Engine via MSHTML
Expected signal: Process creation events showing WINWORD.EXE as parent of cmd.exe or powershell.exe; MSHTML DLL load events in Sysmon EventID 7 for the Office process; Network events if payload attempts callback
- Test 3rundll32.exe MSHTML Script Execution via ieframe.dll
Expected signal: Sysmon Event ID 1 for rundll32.exe execution; Event ID 7 showing ieframe.dll and mshtml.dll loaded by rundll32.exe; Any network connections initiated by the rundll32.exe process to external hosts
- Test 4PowerShell WebBrowser COM Object MSHTML Load
Expected signal: PowerShell process creation event; mshtml.dll loaded into powershell.exe process space (Sysmon Event ID 7); Potential network connection if URL is replaced with live payload URL
Unlock Pro Content
Get the full detection package for CVE-2026-21513 including response playbook, investigation guide, and atomic red team tests.