Detect CVE-2026-21525 - Microsoft Windows NULL Pointer Dereference Exploitation in Splunk
Detects exploitation attempts and post-exploitation activity related to CVE-2026-21525, a NULL pointer dereference vulnerability in Microsoft Windows. This vulnerability is actively exploited in the wild (CISA KEV) and may allow attackers to achieve privilege escalation or code execution via memory corruption techniques targeting Windows kernel or user-mode components.
MITRE ATT&CK
SPL Detection Query
index=windows (sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval timeframe=relative_time(now(), "-24h")
| where _time >= timeframe
| eval is_crash_event=if((EventCode=1001 OR EventCode=1000 OR EventCode=41), 1, 0)
| eval is_driver_event=if(EventCode=7045 OR EventCode=7040, 1, 0)
| eval is_sysmon_event=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND (EventCode=1 OR EventCode=6 OR EventCode=10), 1, 0)
| eval suspicious_process=if(match(lower(Message), "(lsass|svchost|csrss|winlogon|wininit)"), 1, 0)
| where (is_crash_event=1 AND suspicious_process=1) OR (is_driver_event=1) OR (is_sysmon_event=1 AND suspicious_process=1)
| eval risk_score=case(
is_crash_event=1 AND match(lower(Message), "lsass"), 100,
is_driver_event=1, 80,
is_crash_event=1, 60,
true(), 50)
| where risk_score >= 50
| table _time, host, user, EventCode, Message, risk_score
| sort - risk_score, - _timeDetects NULL pointer dereference exploitation indicators in Windows environments via application crashes, unexpected driver loads, and Sysmon process injection events targeting critical Windows processes.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate software crashes in production environments with high application instability
- Security tools performing kernel hooking for legitimate endpoint protection purposes
- Third-party drivers installed during software deployment or updates
- Crash dumps generated by development or QA testing processes
Other platforms for CVE-2026-21525
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Windows Process Crash via WER Trigger
Expected signal: EventID 1001 in Windows Application Event Log with FaultingApplicationName=CrashTest.exe and ExceptionCode=C0000005; Sysmon EventID 1 for process creation; EDR process termination event with non-zero exit code
- Test 2Load Unsigned Test Driver to Simulate Kernel Exploitation Activity
Expected signal: EventID 7045 in Windows System Event Log with ServiceName=CVE202621525TestDriver and ServiceType=kernel mode driver; Sysmon EventID 12/13 for registry modifications under HKLM\SYSTEM\CurrentControlSet\Services
- Test 3LSASS Access Simulation via ProcDump
Expected signal: Sysmon EventID 10 (ProcessAccess) with TargetImage=lsass.exe and GrantedAccess including 0x1FFFFF or 0x1010; Windows Defender EventID 1121 if credential protection rules are enabled; EDR LSASS access alert
Unlock Pro Content
Get the full detection package for CVE-2026-21525 including response playbook, investigation guide, and atomic red team tests.