CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation

let timeframe = 24h;
let suspiciousProcesses = dynamic(["lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe"]);
union SecurityEvent, DeviceProcessEvents, DeviceEvents
| where TimeGenerated >= ago(timeframe)
| where ActionType in ("ProcessCreated", "ProcessCrashed", "KernelDriverLoaded") or EventID in (1001, 1000, 41)
| where (FileName in~ (suspiciousProcesses) and (ProcessCommandLine contains "null" or ProcessCommandLine contains "0x00000000"))
    or (ActionType == "ProcessCrashed" and FileName in~ (suspiciousProcesses))
    or (EventID == 1001 and (ApplicationName has_any (suspiciousProcesses)))
| extend RiskScore = case(
    ActionType == "ProcessCrashed" and FileName =~ "lsass.exe", 100,
    ActionType == "KernelDriverLoaded" and InitiatingProcessIntegrityLevel != "System", 80,
    EventID == 1001, 60,
    50)
| where RiskScore >= 50
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ActionType, EventID, RiskScore
| sort by RiskScore desc, TimeGenerated desc

index=windows (sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval timeframe=relative_time(now(), "-24h")
| where _time >= timeframe
| eval is_crash_event=if((EventCode=1001 OR EventCode=1000 OR EventCode=41), 1, 0)
| eval is_driver_event=if(EventCode=7045 OR EventCode=7040, 1, 0)
| eval is_sysmon_event=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (EventCode=1 OR EventCode=6 OR EventCode=10), 1, 0)
| eval suspicious_process=if(match(lower(Message), "(lsass|svchost|csrss|winlogon|wininit)"), 1, 0)
| where (is_crash_event=1 AND suspicious_process=1) OR (is_driver_event=1) OR (is_sysmon_event=1 AND suspicious_process=1)
| eval risk_score=case(
    is_crash_event=1 AND match(lower(Message), "lsass"), 100,
    is_driver_event=1, 80,
    is_crash_event=1, 60,
    true(), 50)
| where risk_score >= 50
| table _time, host, user, EventCode, Message, risk_score
| sort - risk_score, - _time

sequence by host.name with maxspan=5m
  [process where event.action == "start" and
   process.name in~ ("lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe", "wininit.exe") and
   process.parent.name != null]
  [process where event.action == "end" and
   process.exit_code != 0 and
   process.name in~ ("lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe", "wininit.exe")]
| any where
  (winlog.event_id == 1001 and winlog.channel == "Application") or
  (winlog.event_id == 7045 and winlog.channel == "System") or
  (process.name : ("lsass.exe", "csrss.exe") and event.action == "access" and process.Ext.relative_file_creation_time <= 300)

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "EventID",
  "Message",
  QIDNAME(qid) AS event_name,
  sourceip,
  destinationip
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Event Log')
  AND (
    ("EventID" IN (1001, 1000, 41) AND (LOWER("Message") ILIKE '%lsass%' OR LOWER("Message") ILIKE '%svchost%' OR LOWER("Message") ILIKE '%csrss%'))
    OR ("EventID" IN (7045, 7040) AND LOWER("Message") ILIKE '%driver%')
    OR ("EventID" = 10 AND LOWER("Message") ILIKE '%lsass%')
  )
  AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC
LIMIT 500

_sourceCategory=windows/events OR _sourceCategory=windows/sysmon
| where _messagetime > now() - 86400000
| json auto
| where (EventID in ("1001", "1000", "41", "7045", "10"))
| where EventID matches "100[01]" and (Message matches /(?i)(lsass|svchost|csrss|winlogon|wininit)/)
   OR EventID = "7045"
   OR (EventID = "10" and Message matches /(?i)lsass/)
| eval risk_score = if(EventID = "1001" and Message matches /(?i)lsass/, 100,
    if(EventID = "7045", 80,
    if(EventID = "41", 70, 50)))
| where risk_score >= 50
| fields _messagetime, _sourceHost, EventID, Message, risk_score
| sort by risk_score desc, _messagetime desc

rule cve_2026_21525_null_ptr_deref {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-21525 Windows NULL pointer dereference exploitation via process crashes and driver events"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525"

  events:
    (
      $event.metadata.event_type = "PROCESS_UNCATEGORIZED"
      and $event.principal.process.file.full_path = /(?i)(lsass|svchost|csrss|winlogon|wininit)\.exe$/
      and $event.principal.process.pid != null
    ) or (
      $event.metadata.product_event_type = "7045"
      and $event.principal.hostname != ""
    ) or (
      $event.metadata.product_event_type = "1001"
      and $event.about.labels.key = "FaultingApplicationName"
      and $event.about.labels.value = /(?i)(lsass|svchost|csrss)/
    )

  condition:
    $event
}

#repo=base_activities #view=raw
| EventType=ProcessRollup2
| FileName in ("lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe", "wininit.exe")
| join type=inner (
    #repo=base_activities
    | EventType=SyntheticProcessRollup2
    | ExitCode != 0
    | ExitCode != null
  ) [FileName, aid] by FileName, aid
| union (
    #repo=base_activities
    | EventType=DriverLoaded
    | NOT (DriverCompanyName in ("Microsoft Corporation", "Microsoft Windows"))
    | table aid, ComputerName, DriverFileName, DriverCompanyName, ImageLoadAddress
  )
| eval risk = case(
    ExitCode != 0 and FileName == "lsass.exe", 100,
    ExitCode != 0, 70,
    EventType == "DriverLoaded", 80,
    true, 50)
| where risk >= 50
| table _time, aid, ComputerName, FileName, ExitCode, DriverFileName, DriverCompanyName, risk
| sort -risk -_time