Detect Microsoft Windows Improper Privilege Management (CVE-2026-21533) in Splunk
Detects exploitation of CVE-2026-21533, a Microsoft Windows Improper Privilege Management vulnerability (CWE-269) listed in CISA's Known Exploited Vulnerabilities catalog. Successful exploitation allows a local attacker to elevate privileges on a compromised Windows system. Detection focuses on anomalous privilege token manipulation, unexpected service/process privilege escalation, and suspicious access patterns consistent with local privilege escalation techniques.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
SPL Detection Query
index=wineventlog sourcetype=WinEventLog:Security (EventCode=4672 OR EventCode=4673 OR EventCode=4674 OR EventCode=4688)
| where NOT match(SubjectUserName, "\$$")
| where SubjectUserName!="SYSTEM"
| eval PrivList=mvindex(split(PrivilegeList, "\n"), 0)
| where match(PrivilegeList, "SeDebugPrivilege|SeTcbPrivilege|SeLoadDriverPrivilege|SeAssignPrimaryTokenPrivilege|SeTakeOwnershipPrivilege")
| eval hour=strftime(_time, "%Y-%m-%dT%H:00:00")
| stats count as PrivEscEvents, values(PrivilegeList) as PrivilegesUsed, values(ProcessName) as Processes by SubjectUserName, ComputerName, hour
| where PrivEscEvents > 1
| join type=left ComputerName [
search index=wineventlog sourcetype=WinEventLog:Security EventCode=4688
| where NOT match(SubjectUserName, "\$$")
| where MandatoryLabel="S-1-16-12288" OR MandatoryLabel="S-1-16-16384"
| stats count as HighIntegritySpawns by ComputerName, SubjectUserName
]
| where isnotnull(HighIntegritySpawns)
| table hour, ComputerName, SubjectUserName, PrivEscEvents, PrivilegesUsed, Processes, HighIntegritySpawns
| sort - PrivEscEventsIdentifies non-system accounts acquiring sensitive Windows privileges correlated with high-integrity process creation events, indicative of local privilege escalation exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized administrative scripts or Group Policy processing that temporarily elevates privileges
- Software deployment tools (SCCM, Intune) running privileged operations on behalf of standard users
- Vulnerability scanning tools that enumerate system privileges during scheduled scans
- Service accounts configured with elevated rights for legitimate application functionality
Other platforms for CVE-2026-21533
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Token Impersonation via SeDebugPrivilege
Expected signal: Windows Security Event ID 4673 (SeDebugPrivilege requested) and 4688 (new process: powershell.exe) with Medium integrity initiating a SeDebugPrivilege request.
- Test 2Process Launch at High Integrity from Medium Integrity Parent
Expected signal: Event ID 4688 showing cmd.exe launched at High integrity (MandatoryLabel S-1-16-12288) with schtasks.exe as the initiating process from a Medium-integrity user session.
- Test 3Sensitive Privilege Enumeration via Token Inspection
Expected signal: Event ID 4688 for cmd.exe and powershell.exe, potential Event ID 4672 if running in an elevated session. Process command line arguments visible in EDR telemetry.
Unlock Pro Content
Get the full detection package for CVE-2026-21533 including response playbook, investigation guide, and atomic red team tests.