CVE-2026-21525 Elastic Security · Elastic

Detect CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation in Elastic Security

Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
  [process where event.action == "start" and
   process.name in~ ("lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe", "wininit.exe") and
   process.parent.name != null]
  [process where event.action == "end" and
   process.exit_code != 0 and
   process.name in~ ("lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe", "wininit.exe")]
| any where
  (winlog.event_id == 1001 and winlog.channel == "Application") or
  (winlog.event_id == 7045 and winlog.channel == "System") or
  (process.name : ("lsass.exe", "csrss.exe") and event.action == "access" and process.Ext.relative_file_creation_time <= 300)
high severity medium confidence

EQL sequence detection correlating Windows system process starts with abnormal exits and subsequent error reporting or driver installation events, indicating potential NULL pointer dereference exploitation attempts.

Data Sources

Windows Event LogsElastic Endpoint Security

Required Tables

logs-endpoint.events.process-*logs-windows.winlog-*

False Positives & Tuning

  • System processes that exit with non-zero codes during normal Windows shutdown or restart sequences
  • Legitimate driver installations paired with system service restarts
  • Endpoint security software that accesses LSASS for credential protection features

Other platforms for CVE-2026-21525

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Windows Process Crash via WER Trigger

    Expected signal: EventID 1001 in Windows Application Event Log with FaultingApplicationName=CrashTest.exe and ExceptionCode=C0000005; Sysmon EventID 1 for process creation; EDR process termination event with non-zero exit code

  2. Test 2Load Unsigned Test Driver to Simulate Kernel Exploitation Activity

    Expected signal: EventID 7045 in Windows System Event Log with ServiceName=CVE202621525TestDriver and ServiceType=kernel mode driver; Sysmon EventID 12/13 for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services

  3. Test 3LSASS Access Simulation via ProcDump

    Expected signal: Sysmon EventID 10 (ProcessAccess) with TargetImage=lsass.exe and GrantedAccess including 0x1FFFFF or 0x1010; Windows Defender EventID 1121 if credential protection rules are enabled; EDR LSASS access alert

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21525 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1068Exploitation for Privilege EscalationT1203Exploitation for Client ExecutionT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections