CVE-2026-21533 IBM QRadar · QRadar

Detect Microsoft Windows Improper Privilege Management (CVE-2026-21533) in IBM QRadar

Detects exploitation of CVE-2026-21533, a Microsoft Windows Improper Privilege Management vulnerability (CWE-269) listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows a local attacker to elevate privileges on a compromised Windows system. Detection focuses on anomalous privilege token manipulation, unexpected service/process privilege escalation, and suspicious access patterns consistent with local privilege escalation techniques.

MITRE ATT&CK

Tactic
Privilege Escalation Persistence

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as EventTime,
  username,
  sourceip,
  hostname,
  QIDNAME(qid) as EventName,
  "Privilege List" as PrivilegesUsed,
  "Process Name" as ProcessName
FROM events
WHERE
  logsourcetypename(devicetype) ILIKE '%Windows%'
  AND QIDNAME(qid) ILIKE '%Special Logon%'
  OR QIDNAME(qid) ILIKE '%Sensitive Privilege Use%'
  AND username NOT ILIKE '%$'
  AND username NOT IN ('SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE')
  AND ("Privilege List" ILIKE '%SeDebugPrivilege%'
    OR "Privilege List" ILIKE '%SeTcbPrivilege%'
    OR "Privilege List" ILIKE '%SeLoadDriverPrivilege%'
    OR "Privilege List" ILIKE '%SeAssignPrimaryTokenPrivilege%'
    OR "Privilege List" ILIKE '%SeTakeOwnershipPrivilege%')
GROUP BY username, hostname, sourceip
HAVING COUNT(*) > 2
ORDER BY EventTime DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL query identifying non-system accounts using sensitive Windows privileges (indicative of privilege escalation) by correlating special logon and sensitive privilege use events across Windows log sources.

Data Sources

IBM QRadarWindows Security Event Log

Required Tables

events

False Positives & Tuning

  • Privileged users such as domain administrators legitimately using debug or driver-load privileges
  • Endpoint security software requiring SeDebugPrivilege for process inspection during scans
  • Authorized penetration testing activity within defined maintenance windows
  • Service desk tools that impersonate users with elevated tokens for remote support

Other platforms for CVE-2026-21533

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Token Impersonation via SeDebugPrivilege

    Expected signal: Windows Security Event ID 4673 (SeDebugPrivilege requested) and 4688 (new process: powershell.exe) with Medium integrity initiating a SeDebugPrivilege request.

  2. Test 2Process Launch at High Integrity from Medium Integrity Parent

    Expected signal: Event ID 4688 showing cmd.exe launched at High integrity (MandatoryLabel S-1-16-12288) with schtasks.exe as the initiating process from a Medium-integrity user session.

  3. Test 3Sensitive Privilege Enumeration via Token Inspection

    Expected signal: Event ID 4688 for cmd.exe and powershell.exe, potential Event ID 4672 if running in an elevated session. Process command line arguments visible in EDR telemetry.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-21533 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0003Persistence

Related Techniques

T1068Exploitation for Privilege EscalationT1134Access Token ManipulationT1548.002Bypass User Account Control

Same Tactic: Privilege Escalation

Popular Detections