CVE-2026-21525 Google Chronicle · YARA-L

Detect CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation in Google Chronicle

Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule cve_2026_21525_null_ptr_deref {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-21525 Windows NULL pointer dereference exploitation via process crashes and driver events"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21525"

  events:
    (
      $event.metadata.event_type = "PROCESS_UNCATEGORIZED"
      and $event.principal.process.file.full_path = /(?i)(lsass|svchost|csrss|winlogon|wininit)\.exe$/
      and $event.principal.process.pid != null
    ) or (
      $event.metadata.product_event_type = "7045"
      and $event.principal.hostname != ""
    ) or (
      $event.metadata.product_event_type = "1001"
      and $event.about.labels.key = "FaultingApplicationName"
      and $event.about.labels.value = /(?i)(lsass|svchost|csrss)/
    )

  condition:
    $event
}
high severity medium confidence

Chronicle YARA-L rule detecting NULL pointer dereference exploitation indicators targeting Windows system processes, including crash events for high-value processes and suspicious kernel driver installations.

Data Sources

Windows Event LogsGoogle Chronicle UDM

Required Tables

UDM Events

False Positives & Tuning

  • Legitimate crashes of Windows system processes due to hardware memory issues
  • Windows Feature Updates installing new kernel-mode drivers
  • Third-party security software injecting into system processes for monitoring

Other platforms for CVE-2026-21525

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Windows Process Crash via WER Trigger

    Expected signal: EventID 1001 in Windows Application Event Log with FaultingApplicationName=CrashTest.exe and ExceptionCode=C0000005; Sysmon EventID 1 for process creation; EDR process termination event with non-zero exit code

  2. Test 2Load Unsigned Test Driver to Simulate Kernel Exploitation Activity

    Expected signal: EventID 7045 in Windows System Event Log with ServiceName=CVE202621525TestDriver and ServiceType=kernel mode driver; Sysmon EventID 12/13 for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services

  3. Test 3LSASS Access Simulation via ProcDump

    Expected signal: Sysmon EventID 10 (ProcessAccess) with TargetImage=lsass.exe and GrantedAccess including 0x1FFFFF or 0x1010; Windows Defender EventID 1121 if credential protection rules are enabled; EDR LSASS access alert

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21525 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1068Exploitation for Privilege EscalationT1203Exploitation for Client ExecutionT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections