Which SIEM platforms have a CVE-2026-32202 detection rule?

df00tech provides CVE-2026-32202 (CVE-2026-32202 Microsoft Windows Protection Mechanism Failure) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect CVE-2026-32202 Microsoft Windows Protection Mechanism Failure (CVE-2026-32202)?

Detecting CVE-2026-32202 Microsoft Windows Protection Mechanism Failure requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel, Windows Security Events.

What severity and confidence is the CVE-2026-32202 detection?

The CVE-2026-32202 detection is rated high severity with medium confidence.

What are common false positives for CVE-2026-32202?

Common false positives for CVE-2026-32202 include: Legitimate administrative tools that adjust token privileges during normal operations; Security software performing self-diagnostic or configuration changes to Windows Defender registry keys; Pentest or red team tooling running in authorized environments.

CVE-2026-32202 Detection: CVE-2026-32202 Microsoft Windows Protection Mechanism Failure (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let timeWindow = 24h;
let suspiciousProcesses = DeviceProcessEvents
| where Timestamp > ago(timeWindow)
| where (FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and InitiatingProcessFileName !in~ ("explorer.exe", "svchost.exe", "services.exe"))
    or (ProcessCommandLine has_any ("SeDebugPrivilege", "AdjustTokenPrivileges", "NtSetInformationToken", "ZwSetInformationToken", "DisablePrivilege", "BypassUAC", "DisableWindowsDefender", "Set-MpPreference"))
| project Timestamp, DeviceId, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessId, InitiatingProcessId;
let securityBypassEvents = DeviceEvents
| where Timestamp > ago(timeWindow)
| where ActionType in~ ("SecurityCenterNotification", "AntivirusDetection", "ExploitGuardNetworkProtectionBlocked", "ControlledFolderAccessViolationAudited", "ExploitGuardAsmRuleAudited")
| project Timestamp, DeviceId, DeviceName, ActionType, AdditionalFields;
let registryBypass = DeviceRegistryEvents
| where Timestamp > ago(timeWindow)
| where RegistryKey has_any ("SOFTWARE\\Microsoft\\Windows Defender", "SOFTWARE\\Policies\\Microsoft\\Windows Defender", "SYSTEM\\CurrentControlSet\\Services\\SecurityHealthService")
| where ActionType in~ ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceId, DeviceName, ActionType, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName;
suspiciousProcesses
| union securityBypassEvents
| union registryBypass
| summarize EventCount=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp), EventTypes=make_set(ActionType, 20) by DeviceId, DeviceName
| where EventCount >= 2
| extend AlertTitle = "CVE-2026-32202 Possible Windows Protection Mechanism Bypass"
| sort by EventCount desc

Correlates process events, security bypass events, and registry modifications indicative of CVE-2026-32202 exploitation targeting Windows protection mechanisms.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel Windows Security Events

Required Tables

DeviceProcessEvents DeviceEvents DeviceRegistryEvents

False Positives

Legitimate administrative tools that adjust token privileges during normal operations
Security software performing self-diagnostic or configuration changes to Windows Defender registry keys
Pentest or red team tooling running in authorized environments
Group Policy updates modifying Windows Defender settings via SCCM or Intune

Splunk

spl

index=windows (source="WinEventLog:Security" OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval event_type=case(
    EventCode=="4688", "process_create",
    EventCode=="4657", "registry_modify",
    EventCode=="4703", "token_privilege_adjusted",
    EventCode=="1", "sysmon_process_create",
    EventCode=="13", "sysmon_registry_set",
    true(), "other"
  )
| where event_type IN ("process_create", "registry_modify", "token_privilege_adjusted", "sysmon_process_create", "sysmon_registry_set")
| eval suspicious_process=if(
    match(lower(Process_Name), "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)") AND
    NOT match(lower(Parent_Process_Name), "(explorer\.exe|svchost\.exe|services\.exe)"),
    1, 0
  )
| eval bypass_commandline=if(
    match(CommandLine, "(?i)(SeDebugPrivilege|AdjustTokenPrivileges|NtSetInformationToken|ZwSetInformationToken|BypassUAC|DisableWindowsDefender|Set-MpPreference|DisableRealtimeMonitoring)"),
    1, 0
  )
| eval defender_registry=if(
    match(Object_Name, "(?i)(Windows Defender|SecurityHealthService)") AND
    match(event_type, "registry_modify"),
    1, 0
  )
| eval token_abuse=if(event_type=="token_privilege_adjusted" AND match(Privileges, "(?i)SeDebugPrivilege"), 1, 0)
| eval risk_score=suspicious_process*25 + bypass_commandline*35 + defender_registry*20 + token_abuse*30
| where risk_score >= 35
| stats sum(risk_score) as total_risk, count as event_count, values(event_type) as event_types, earliest(_time) as first_seen, latest(_time) as last_seen, values(CommandLine) as commands by host, user, src_ip
| where event_count >= 1
| eval cve="CVE-2026-32202"
| eval alert_title="CVE-2026-32202 Windows Protection Mechanism Failure - Bypass Indicators"
| sort - total_risk

Risk-scored detection combining process creation, registry modification, token privilege events, and command-line bypass indicators for CVE-2026-32202 exploitation.

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon

Required Sourcetypes

WinEventLog:Security WinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized administrative scripts adjusting Windows Defender policies via legitimate management tools
Security products with deep OS integration that legitimately use token privilege APIs
Scheduled tasks or GPO enforcement scripts modifying Windows security settings
Antivirus or EDR agents performing self-protection operations

Elastic Security (EQL)

eql

sequence by host.name, user.name with maxspan=10m
  [process where event.type == "start" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and
    not process.parent.name : ("explorer.exe", "svchost.exe", "services.exe", "msiexec.exe")]
  [any where event.category : ("process", "registry") and
    (
      (event.category == "process" and process.command_line : ("*SeDebugPrivilege*", "*AdjustTokenPrivileges*", "*BypassUAC*", "*Set-MpPreference*", "*DisableRealtimeMonitoring*", "*NtSetInformationToken*")) or
      (event.category == "registry" and registry.path : ("*Windows Defender*", "*SecurityHealthService*", "*WinDefend*") and registry.data.strings : ("*0*", "*false*", "*disabled*"))
    )
  ]

EQL sequence detection correlating suspicious child process spawning followed by protection mechanism bypass activity within a 10-minute window.

high severity medium confidence

Data Sources

Elastic Endpoint Winlogbeat Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* winlogbeat-*

False Positives

Legitimate IT automation scripts spawned from non-standard parent processes
Security software modifying defender registry keys as part of product installation
Authorized red team exercises performing bypass testing
Enterprise management tools using token privilege APIs for legitimate administrative functions

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
  sourceip, destinationip, username,
  QIDNAME(qid) as event_name,
  "Process Name", "Command", "Registry Key",
  logsourcename(logsourceid) as log_source,
  categoryname(category) as category_name
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    ("Process Name" ILIKE '%cmd.exe%' OR "Process Name" ILIKE '%powershell.exe%' OR
     "Process Name" ILIKE '%wscript.exe%' OR "Process Name" ILIKE '%cscript.exe%' OR
     "Process Name" ILIKE '%mshta.exe%' OR "Process Name" ILIKE '%rundll32.exe%')
    AND NOT ("Parent Process" ILIKE '%explorer.exe%' OR "Parent Process" ILIKE '%svchost.exe%')
  )
  OR (
    "Command" ILIKE '%SeDebugPrivilege%'
    OR "Command" ILIKE '%AdjustTokenPrivileges%'
    OR "Command" ILIKE '%BypassUAC%'
    OR "Command" ILIKE '%Set-MpPreference%'
    OR "Command" ILIKE '%DisableRealtimeMonitoring%'
    OR "Command" ILIKE '%NtSetInformationToken%'
  )
  OR (
    "Registry Key" ILIKE '%Windows Defender%'
    AND (qid IN (SELECT id FROM qidmap WHERE category = 'Registry Audit'))
  )
GROUP BY sourceip, username, "Process Name"
ORDER BY event_time DESC
LIMIT 500

QRadar AQL query detecting Windows protection mechanism bypass indicators including suspicious process lineage, bypass command-line arguments, and Windows Defender registry modifications.

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon QRadar Windows DSM

Required Tables

events

False Positives

Legitimate PowerShell administration scripts modifying Defender settings through authorized management channels
Software deployment tools that spawn cmd.exe or scripts from non-standard parent processes
Security assessment tools running in authorized windows
Enterprise backup or monitoring agents using privilege adjustment APIs

Sumo Logic CSE

sql

_sourceCategory=windows* ("SeDebugPrivilege" OR "AdjustTokenPrivileges" OR "NtSetInformationToken" OR "ZwSetInformationToken" OR "BypassUAC" OR "Set-MpPreference" OR "DisableRealtimeMonitoring" OR "Windows Defender")
| parse regex field=_raw "EventCode=(?<event_code>\d+)"
| parse regex field=_raw "(?:Process Name|Image)=(?<process_name>[^\r\n]+)"
| parse regex field=_raw "(?:CommandLine|Command Line)=(?<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?:SubjectUserName|User)=(?<username>[^\r\n]+)" nodrop
| parse regex field=_raw "(?:Workstation Name|Computer)=(?<hostname>[^\r\n]+)" nodrop
| where event_code in ("4688", "4657", "4703", "1", "12", "13")
| eval is_suspicious_process = if(matches(toLowerCase(process_name), "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)"), 1, 0)
| eval has_bypass_cmd = if(matches(command_line, "(?i)(SeDebugPrivilege|AdjustTokenPrivileges|BypassUAC|Set-MpPreference|DisableRealtimeMonitoring|NtSetInformationToken)"), 1, 0)
| eval risk = is_suspicious_process * 20 + has_bypass_cmd * 40
| where risk >= 40
| stats count as event_count, sum(risk) as total_risk, values(process_name) as processes, values(command_line) as commands, min(_messagetime) as first_seen, max(_messagetime) as last_seen by hostname, username
| sort by total_risk desc
| limit 100

Sumo Logic query detecting Windows protection mechanism failure exploitation via process and command-line analysis with risk scoring.

high severity medium confidence

Data Sources

Windows Event Logs Sysmon

Required Tables

windows*

False Positives

IT automation scripts using PowerShell to manage Windows Defender configuration
Security operations tools that legitimately call token privilege APIs
Group Policy scripts modifying Defender settings pushed from domain controllers
Legitimate application installers that require privilege adjustments

Google Chronicle / SecOps

yaral

rule cve_2026_32202_windows_protection_bypass {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-32202 Microsoft Windows Protection Mechanism Failure exploitation"
    severity = "HIGH"
    priority = "HIGH"
    cve = "CVE-2026-32202"
    cwe = "CWE-693"
    mitre_attack = "T1562, T1548, T1055"
    reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32202"

  events:
    ($process.metadata.event_type = "PROCESS_LAUNCH"
     and (
       re.regex($process.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)$`)
     )
     and not re.regex($process.principal.process.parent_process.file.full_path, `(?i)(explorer\.exe|svchost\.exe|services\.exe|msiexec\.exe)$`)
    ) or
    (
     re.regex($process.target.process.command_line, `(?i)(SeDebugPrivilege|AdjustTokenPrivileges|NtSetInformationToken|ZwSetInformationToken|BypassUAC|Set-MpPreference|DisableRealtimeMonitoring|DisableAntiSpyware)`)
    ) or
    (
     $process.metadata.event_type = "REGISTRY_MODIFICATION"
     and re.regex($process.target.registry.registry_key, `(?i)(Windows.Defender|SecurityHealthService|WinDefend)`)
    )

  condition:
    $process
}

Chronicle YARA-L rule detecting Windows protection mechanism bypass behaviors associated with CVE-2026-32202 exploitation across process launch, command-line, and registry modification events.

high severity medium confidence

Data Sources

Google Chronicle Windows Event Logs via Chronicle forwarder Sysmon via Chronicle

Required Tables

process_events registry_events

False Positives

Authorized endpoint management platforms modifying Windows Defender registry keys
Legitimate security tools spawning scripting engines for scanning or remediation purposes
Software deployment pipelines using cmd.exe or PowerShell from non-standard parent contexts
IT provisioning automation adjusting token privileges during workstation setup

CrowdStrike LogScale (CQL)

cql

#event_simpleName in (ProcessRollup2, SyntheticProcessRollup2, RegKeyCreate, RegKeySetValue)
| where event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
  and (
    FileName in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
    and not ParentBaseFileName in ("explorer.exe", "svchost.exe", "services.exe", "msiexec.exe")
  )
  or (
    match(CommandLine, /(?i)(SeDebugPrivilege|AdjustTokenPrivileges|NtSetInformationToken|ZwSetInformationToken|BypassUAC|Set-MpPreference|DisableRealtimeMonitoring|DisableAntiSpyware)/)
  )
| union [
  #event_simpleName in (RegKeyCreate, RegKeySetValue)
  | where match(RegKeyPath, /(?i)(Windows\\Defender|SecurityHealthService|WinDefend)/)
  | project timestamp, ComputerName, UserName, RegKeyPath, RegValueName, RegValueType
]
| eval cve = "CVE-2026-32202"
| eval alert = "Windows Protection Mechanism Failure - Bypass Activity"
| stats count() as events, values(FileName) as process_names, values(CommandLine) as commands, values(RegKeyPath) as registry_paths, min(timestamp) as first_seen, max(timestamp) as last_seen by ComputerName, UserName, cve
| where events >= 1
| sort - events

CrowdStrike Falcon LogScale (CQL) detection for CVE-2026-32202 focusing on suspicious process lineage, protection bypass command-line patterns, and Windows Defender registry tampering.

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR Falcon LogScale

Required Tables

ProcessRollup2 SyntheticProcessRollup2 RegKeyCreate RegKeySetValue

False Positives

CrowdStrike sensor itself or other security agents modifying Defender registry keys
Authorized IT scripts using PowerShell to manage Windows security configuration
Software installers that legitimately adjust process token privileges
Enterprise management tooling spawning scripting engines for configuration enforcement

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-32202 CVE-2026-32202 Microsoft Windows Protection Mechanism Failure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-32202

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox