CVE-2026-21525 IBM QRadar · QRadar

Detect CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation in IBM QRadar

Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Execution

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "EventID",
  "Message",
  QIDNAME(qid) AS event_name,
  sourceip,
  destinationip
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Windows Event Log')
  AND (
    ("EventID" IN (1001, 1000, 41) AND (LOWER("Message") ILIKE '%lsass%' OR LOWER("Message") ILIKE '%svchost%' OR LOWER("Message") ILIKE '%csrss%'))
    OR ("EventID" IN (7045, 7040) AND LOWER("Message") ILIKE '%driver%')
    OR ("EventID" = 10 AND LOWER("Message") ILIKE '%lsass%')
  )
  AND DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') > DATEADD('hour', -24, NOW())
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query identifying Windows NULL pointer dereference exploitation indicators including process crash events, unexpected driver installations, and suspicious LSASS access patterns across Windows event log sources.

Data Sources

Windows Security Event LogWindows Application Event LogWindows System Event Log

Required Tables

events

False Positives & Tuning

  • High-volume environments may produce many EventID 1001 entries from unrelated application crashes
  • Routine Windows driver updates generating EventID 7045 entries
  • Security software agents that legitimately access LSASS memory

Other platforms for CVE-2026-21525

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Windows Process Crash via WER Trigger

    Expected signal: EventID 1001 in Windows Application Event Log with FaultingApplicationName=CrashTest.exe and ExceptionCode=C0000005; Sysmon EventID 1 for process creation; EDR process termination event with non-zero exit code

  2. Test 2Load Unsigned Test Driver to Simulate Kernel Exploitation Activity

    Expected signal: EventID 7045 in Windows System Event Log with ServiceName=CVE202621525TestDriver and ServiceType=kernel mode driver; Sysmon EventID 12/13 for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services

  3. Test 3LSASS Access Simulation via ProcDump

    Expected signal: Sysmon EventID 10 (ProcessAccess) with TargetImage=lsass.exe and GrantedAccess including 0x1FFFFF or 0x1010; Windows Defender EventID 1121 if credential protection rules are enabled; EDR LSASS access alert

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21525 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0002Execution

Related Techniques

T1068Exploitation for Privilege EscalationT1203Exploitation for Client ExecutionT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections