Microsoft Windows Improper Privilege Management (CVE-2026-21533)
Detects exploitation of CVE-2026-21533, a Microsoft Windows Improper Privilege Management vulnerability (CWE-269) listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows a local attacker to elevate privileges on a compromised Windows system. Detection focuses on anomalous privilege token manipulation, unexpected service/process privilege escalation, and suspicious access patterns consistent with local privilege escalation techniques.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows
Weakness (CWE)
Timeline
- Disclosed
- February 10, 2026
References & Proof of Concept
CVSS
What is CVE-2026-21533 Microsoft Windows Improper Privilege Management (CVE-2026-21533)?
Microsoft Windows Improper Privilege Management (CVE-2026-21533) (CVE-2026-21533) maps to the Privilege Escalation and Persistence tactics — the adversary is trying to gain higher-level permissions in MITRE ATT&CK.
This page provides production-ready detection logic for Microsoft Windows Improper Privilege Management (CVE-2026-21533), covering the data sources and telemetry it touches: Microsoft Sentinel, Microsoft Defender for Endpoint, Windows Security Event Log. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
let suspiciousPrivilegeEscalation = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4672, 4673, 4674, 4688)
| where SubjectUserName !endswith '$'
| where SubjectUserName != 'SYSTEM'
| extend PrivilegesRequested = tostring(parse_json(EventData).PrivilegeList)
| where PrivilegesRequested has_any ('SeDebugPrivilege', 'SeTcbPrivilege', 'SeLoadDriverPrivilege', 'SeAssignPrimaryTokenPrivilege', 'SeTakeOwnershipPrivilege');
let newHighPrivProcess = DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessAccountName !in ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')
| where InitiatingProcessIntegrityLevel in ('Low', 'Medium')
| where ProcessIntegrityLevel == 'High' or ProcessIntegrityLevel == 'System'
| project TimeGenerated, DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessIntegrityLevel, ProcessIntegrityLevel;
suspiciousPrivilegeEscalation
| join kind=inner (newHighPrivProcess) on $left.Computer == $right.DeviceName
| project TimeGenerated, Computer, SubjectUserName, PrivilegesRequested, FileName, ProcessCommandLine, InitiatingProcessIntegrityLevel, ProcessIntegrityLevel
| order by TimeGenerated descCorrelates Windows Security Event privilege use events (4672/4673/4674) with process integrity level elevation in Defender for Endpoint, flagging non-system accounts that acquire sensitive privileges and spawn higher-integrity processes.
Data Sources
Required Tables
False Positives
- Legitimate software installers or update agents running as standard users that temporarily elevate privileges
- IT administrators using tools like PsExec or RunAs for authorized administrative tasks
- Privileged Access Workstation (PAW) activity where high-integrity processes are expected from interactive admin sessions
- Endpoint security products performing scheduled scans that enumerate privileges
Sigma rule & cross-platform mapping
The detection logic for Microsoft Windows Improper Privilege Management (CVE-2026-21533) (CVE-2026-21533) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-21533
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Token Impersonation via SeDebugPrivilege
Expected signal: Windows Security Event ID 4673 (SeDebugPrivilege requested) and 4688 (new process: powershell.exe) with Medium integrity initiating a SeDebugPrivilege request.
- Test 2Process Launch at High Integrity from Medium Integrity Parent
Expected signal: Event ID 4688 showing cmd.exe launched at High integrity (MandatoryLabel S-1-16-12288) with schtasks.exe as the initiating process from a Medium-integrity user session.
- Test 3Sensitive Privilege Enumeration via Token Inspection
Expected signal: Event ID 4688 for cmd.exe and powershell.exe, potential Event ID 4672 if running in an elevated session. Process command line arguments visible in EDR telemetry.
Unlock Pro Content
Get the full detection package for CVE-2026-21533 including response playbook, investigation guide, and atomic red team tests.