Detect CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation in Microsoft Sentinel
Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.
MITRE ATT&CK
KQL Detection Query
let timeframe = 24h;
let suspiciousProcesses = dynamic(["lsass.exe", "svchost.exe", "csrss.exe", "winlogon.exe"]);
union SecurityEvent, DeviceProcessEvents, DeviceEvents
| where TimeGenerated >= ago(timeframe)
| where ActionType in ("ProcessCreated", "ProcessCrashed", "KernelDriverLoaded") or EventID in (1001, 1000, 41)
| where (FileName in~ (suspiciousProcesses) and (ProcessCommandLine contains "null" or ProcessCommandLine contains "0x00000000"))
or (ActionType == "ProcessCrashed" and FileName in~ (suspiciousProcesses))
or (EventID == 1001 and (ApplicationName has_any (suspiciousProcesses)))
| extend RiskScore = case(
ActionType == "ProcessCrashed" and FileName =~ "lsass.exe", 100,
ActionType == "KernelDriverLoaded" and InitiatingProcessIntegrityLevel != "System", 80,
EventID == 1001, 60,
50)
| where RiskScore >= 50
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, ActionType, EventID, RiskScore
| sort by RiskScore desc, TimeGenerated descDetects process crashes, kernel driver loads, and Windows Error Reporting events consistent with NULL pointer dereference exploitation targeting Windows system processes. Focuses on LSASS, SVCHOST and other high-value processes crashing or loading unexpected drivers.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate application crashes due to software bugs unrelated to exploitation
- Antivirus or EDR products performing kernel-level inspection that may trigger driver load events
- System updates or patches that temporarily cause process instability
- Memory dumps or diagnostic tools running during incident response activities
Other platforms for CVE-2026-21525
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Windows Process Crash via WER Trigger
Expected signal: EventID 1001 in Windows Application Event Log with FaultingApplicationName=CrashTest.exe and ExceptionCode=C0000005; Sysmon EventID 1 for process creation; EDR process termination event with non-zero exit code
- Test 2Load Unsigned Test Driver to Simulate Kernel Exploitation Activity
Expected signal: EventID 7045 in Windows System Event Log with ServiceName=CVE202621525TestDriver and ServiceType=kernel mode driver; Sysmon EventID 12/13 for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services
- Test 3LSASS Access Simulation via ProcDump
Expected signal: Sysmon EventID 10 (ProcessAccess) with TargetImage=lsass.exe and GrantedAccess including 0x1FFFFF or 0x1010; Windows Defender EventID 1121 if credential protection rules are enabled; EDR LSASS access alert
Unlock Pro Content
Get the full detection package for CVE-2026-21525 including response playbook, investigation guide, and atomic red team tests.