CVE-2026-21513 Microsoft Sentinel · KQL

Detect CVE-2026-21513 — Microsoft MSHTML Framework Protection Mechanism Failure in Microsoft Sentinel

Detects exploitation of CVE-2026-21513, a protection mechanism failure (CWE-693) in the Microsoft MSHTML framework on Windows. This KEV-listed vulnerability allows attackers to bypass security controls implemented in MSHTML, potentially enabling code execution via crafted web content processed by Internet Explorer compatibility components, Microsoft Office documents embedding web content, or applications using the WebBrowser control. Active exploitation has been confirmed by CISA.

MITRE ATT&CK

Tactic
Initial Access Execution Defense Evasion

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let timeframe = 24h;
let suspiciousMshtmlParents = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "mspub.exe", "msaccess.exe", "onenote.exe", "visio.exe"]);
let mshtmlIndicators = dynamic(["mshtml.dll", "ieframe.dll", "jscript.dll", "jscript9.dll", "vbscript.dll"]);
union
(
  DeviceProcessEvents
  | where Timestamp > ago(timeframe)
  | where InitiatingProcessFileName has_any (suspiciousMshtmlParents)
  | where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
  | project Timestamp, DeviceId, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
  | extend AlertType = "MSHTML_ChildProcess"
),
(
  DeviceImageLoadEvents
  | where Timestamp > ago(timeframe)
  | where InitiatingProcessFileName has_any (suspiciousMshtmlParents)
  | where FileName has_any (mshtmlIndicators)
  | project Timestamp, DeviceId, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath
  | extend AlertType = "MSHTML_DLLLoad"
),
(
  DeviceNetworkEvents
  | where Timestamp > ago(timeframe)
  | where InitiatingProcessFileName has_any ("mshta.exe", "dllhost.exe", "svchost.exe")
  | where RemoteIPType != "Private"
  | where RemotePort in (80, 443, 8080, 8443)
  | project Timestamp, DeviceId, DeviceName, AccountName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
  | extend AlertType = "MSHTML_NetworkCallback"
)
| summarize AlertCount = count(), AlertTypes = make_set(AlertType) by DeviceId, DeviceName, AccountName, bin(Timestamp, 1h)
| where AlertCount >= 1
high severity medium confidence

Detects suspicious MSHTML framework activity including child process spawning from Office applications, MSHTML DLL loads in unexpected contexts, and network callbacks from MSHTML-related processes. Correlates process, image load, and network events to identify exploitation patterns of CVE-2026-21513.

Data Sources

Microsoft Defender for EndpointMicrosoft SentinelMDE DeviceProcessEventsMDE DeviceImageLoadEventsMDE DeviceNetworkEvents

Required Tables

DeviceProcessEventsDeviceImageLoadEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate Office macros or add-ins that spawn scripting engines for automation tasks
  • IT management tools using COM/MSHTML for rendering web-based dashboards or reports
  • Developer environments testing web content rendering via MSHTML APIs
  • Security scanning tools that inspect MSHTML-loaded content for analysis

Other platforms for CVE-2026-21513

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1MSHTML MkNode Method Invocation via mshta.exe

    Expected signal: Sysmon Event ID 1 showing mshta.exe spawning cmd.exe; Sysmon Event ID 7 showing mshtml.dll and vbscript.dll loaded by mshta.exe; Process creation events in Windows Security Log (Event ID 4688)

  2. Test 2Office Document Spawning Scripting Engine via MSHTML

    Expected signal: Process creation events showing WINWORD.EXE as parent of cmd.exe or powershell.exe; MSHTML DLL load events in Sysmon EventID 7 for the Office process; Network events if payload attempts callback

  3. Test 3rundll32.exe MSHTML Script Execution via ieframe.dll

    Expected signal: Sysmon Event ID 1 for rundll32.exe execution; Event ID 7 showing ieframe.dll and mshtml.dll loaded by rundll32.exe; Any network connections initiated by the rundll32.exe process to external hosts

  4. Test 4PowerShell WebBrowser COM Object MSHTML Load

    Expected signal: PowerShell process creation event; mshtml.dll loaded into powershell.exe process space (Sysmon Event ID 7); Potential network connection if URL is replaced with live payload URL

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21513 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0005Defense Evasion

Related Techniques

T1203Exploitation for Client ExecutionT1059.005Visual BasicT1218.011Rundll32T1566.001Spearphishing Attachment

Same Tactic: Initial Access

Popular Detections