CVE-2026-21525 CrowdStrike LogScale · LogScale

Detect CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation in CrowdStrike LogScale

Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#repo=base_activities #view=raw
| EventType=ProcessRollup2
| FileName in ("lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe", "wininit.exe")
| join type=inner (
    #repo=base_activities
    | EventType=SyntheticProcessRollup2
    | ExitCode != 0
    | ExitCode != null
  ) [FileName, aid] by FileName, aid
| union (
    #repo=base_activities
    | EventType=DriverLoaded
    | NOT (DriverCompanyName in ("Microsoft Corporation", "Microsoft Windows"))
    | table aid, ComputerName, DriverFileName, DriverCompanyName, ImageLoadAddress
  )
| eval risk = case(
    ExitCode != 0 and FileName == "lsass.exe", 100,
    ExitCode != 0, 70,
    EventType == "DriverLoaded", 80,
    true, 50)
| where risk >= 50
| table _time, aid, ComputerName, FileName, ExitCode, DriverFileName, DriverCompanyName, risk
| sort -risk -_time
high severity medium confidence

CrowdStrike Falcon CQL detection identifying NULL pointer dereference exploitation via abnormal exits of critical Windows processes and unsigned or third-party driver load events that may indicate kernel-level exploitation.

Data Sources

CrowdStrike Falcon SensorCrowdStrike Process Events

Required Tables

base_activities

False Positives & Tuning

  • Third-party kernel drivers from legitimate security vendors that are not Microsoft-signed
  • System process exits during planned maintenance windows or reboots
  • Development systems where experimental or unsigned drivers are routinely tested

Other platforms for CVE-2026-21525

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Windows Process Crash via WER Trigger

    Expected signal: EventID 1001 in Windows Application Event Log with FaultingApplicationName=CrashTest.exe and ExceptionCode=C0000005; Sysmon EventID 1 for process creation; EDR process termination event with non-zero exit code

  2. Test 2Load Unsigned Test Driver to Simulate Kernel Exploitation Activity

    Expected signal: EventID 7045 in Windows System Event Log with ServiceName=CVE202621525TestDriver and ServiceType=kernel mode driver; Sysmon EventID 12/13 for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services

  3. Test 3LSASS Access Simulation via ProcDump

    Expected signal: Sysmon EventID 10 (ProcessAccess) with TargetImage=lsass.exe and GrantedAccess including 0x1FFFFF or 0x1010; Windows Defender EventID 1121 if credential protection rules are enabled; EDR LSASS access alert

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21525 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1068Exploitation for Privilege EscalationT1203Exploitation for Client ExecutionT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections