Detect Microsoft Windows Improper Privilege Management (CVE-2026-21533) in Google Chronicle
Detects exploitation of CVE-2026-21533, a Microsoft Windows Improper Privilege Management vulnerability (CWE-269) listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows a local attacker to elevate privileges on a compromised Windows system. Detection focuses on anomalous privilege token manipulation, unexpected service/process privilege escalation, and suspicious access patterns consistent with local privilege escalation techniques.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
YARA-L Detection Query
rule CVE_2026_21533_Windows_Privilege_Escalation {
meta:
author = "df00tech"
description = "Detects exploitation of CVE-2026-21533 Windows Improper Privilege Management via sensitive privilege acquisition by non-system accounts"
severity = "HIGH"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21533"
events:
$e1.metadata.event_type = "USER_RESOURCE_ACCESS"
$e1.metadata.product_name = "Microsoft-Windows-Security-Auditing"
$e1.target.resource.attribute.labels["EventID"] = /^(4672|4673|4674)$/
NOT re.regex($e1.principal.user.userid, `.*\$$`)
NOT $e1.principal.user.userid = "SYSTEM"
(
$e1.target.resource.attribute.labels["PrivilegeList"] = /SeDebugPrivilege/ or
$e1.target.resource.attribute.labels["PrivilegeList"] = /SeTcbPrivilege/ or
$e1.target.resource.attribute.labels["PrivilegeList"] = /SeLoadDriverPrivilege/ or
$e1.target.resource.attribute.labels["PrivilegeList"] = /SeAssignPrimaryTokenPrivilege/ or
$e1.target.resource.attribute.labels["PrivilegeList"] = /SeTakeOwnershipPrivilege/
)
$e1.principal.hostname = $hostname
$e1.principal.user.userid = $user
$e2.metadata.event_type = "PROCESS_LAUNCH"
$e2.principal.hostname = $hostname
$e2.principal.user.userid = $user
$e2.target.process.token.integrity_level >= 3
match:
$hostname, $user over 5m
condition:
#e1 >= 2 and $e2
}Chronicle YARA-L rule correlating Windows sensitive privilege use events with high-integrity process launches for the same user on the same host within a 5-minute window.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative tooling (e.g., Sysinternals PsTools) used by IT staff under authorized change requests
- Security tooling such as SentinelOne or CrowdStrike requiring high-integrity processes with debug privileges
- Scheduled task execution under elevated service accounts during business hours
- Software packaging and repackaging workflows that require privilege elevation to capture installation state
Other platforms for CVE-2026-21533
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Token Impersonation via SeDebugPrivilege
Expected signal: Windows Security Event ID 4673 (SeDebugPrivilege requested) and 4688 (new process: powershell.exe) with Medium integrity initiating a SeDebugPrivilege request.
- Test 2Process Launch at High Integrity from Medium Integrity Parent
Expected signal: Event ID 4688 showing cmd.exe launched at High integrity (MandatoryLabel S-1-16-12288) with schtasks.exe as the initiating process from a Medium-integrity user session.
- Test 3Sensitive Privilege Enumeration via Token Inspection
Expected signal: Event ID 4688 for cmd.exe and powershell.exe, potential Event ID 4672 if running in an elevated session. Process command line arguments visible in EDR telemetry.
Unlock Pro Content
Get the full detection package for CVE-2026-21533 including response playbook, investigation guide, and atomic red team tests.