CVE-2026-32202 Splunk · SPL

Detect CVE-2026-32202 Microsoft Windows Protection Mechanism Failure in Splunk

Detects exploitation of CVE-2026-32202, a Microsoft Windows Protection Mechanism Failure vulnerability (CWE-693) listed in CISA KEV. This vulnerability allows attackers to bypass security controls in Windows, potentially enabling privilege escalation, defense evasion, or code execution. Detection focuses on anomalous process behavior, security feature bypass indicators, and suspicious Windows API usage patterns consistent with protection mechanism circumvention.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation Execution

SPL Detection Query

Splunk (SPL)
spl 
index=windows (source="WinEventLog:Security" OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval event_type=case(
    EventCode=="4688", "process_create",
    EventCode=="4657", "registry_modify",
    EventCode=="4703", "token_privilege_adjusted",
    EventCode=="1", "sysmon_process_create",
    EventCode=="13", "sysmon_registry_set",
    true(), "other"
  )
| where event_type IN ("process_create", "registry_modify", "token_privilege_adjusted", "sysmon_process_create", "sysmon_registry_set")
| eval suspicious_process=if(
    match(lower(Process_Name), "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe)") AND
    NOT match(lower(Parent_Process_Name), "(explorer\.exe|svchost\.exe|services\.exe)"),
    1, 0
  )
| eval bypass_commandline=if(
    match(CommandLine, "(?i)(SeDebugPrivilege|AdjustTokenPrivileges|NtSetInformationToken|ZwSetInformationToken|BypassUAC|DisableWindowsDefender|Set-MpPreference|DisableRealtimeMonitoring)"),
    1, 0
  )
| eval defender_registry=if(
    match(Object_Name, "(?i)(Windows Defender|SecurityHealthService)") AND
    match(event_type, "registry_modify"),
    1, 0
  )
| eval token_abuse=if(event_type=="token_privilege_adjusted" AND match(Privileges, "(?i)SeDebugPrivilege"), 1, 0)
| eval risk_score=suspicious_process*25 + bypass_commandline*35 + defender_registry*20 + token_abuse*30
| where risk_score >= 35
| stats sum(risk_score) as total_risk, count as event_count, values(event_type) as event_types, earliest(_time) as first_seen, latest(_time) as last_seen, values(CommandLine) as commands by host, user, src_ip
| where event_count >= 1
| eval cve="CVE-2026-32202"
| eval alert_title="CVE-2026-32202 Windows Protection Mechanism Failure - Bypass Indicators"
| sort - total_risk
high severity medium confidence

Risk-scored detection combining process creation, registry modification, token privilege events, and command-line bypass indicators for CVE-2026-32202 exploitation.

Data Sources

Windows Security Event LogSysmon

Required Sourcetypes

WinEventLog:SecurityWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized administrative scripts adjusting Windows Defender policies via legitimate management tools
  • Security products with deep OS integration that legitimately use token privilege APIs
  • Scheduled tasks or GPO enforcement scripts modifying Windows security settings
  • Antivirus or EDR agents performing self-protection operations

Other platforms for CVE-2026-32202

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Windows Defender Real-Time Protection via PowerShell

    Expected signal: Windows Security Event 4688 (process create) for powershell.exe; Sysmon Event 1 with command line containing Set-MpPreference; possible Windows Defender Event 5001 (real-time protection disabled); registry modification under HKLM\SOFTWARE\Microsoft\Windows Defender

  2. Test 2Enable SeDebugPrivilege via Token Manipulation

    Expected signal: Windows Security Event 4703 (token right adjusted) for SeDebugPrivilege; Sysmon Event 1 for powershell.exe process creation; PowerShell ScriptBlock log Event 4104 capturing the command

  3. Test 3Windows Defender Registry Key Tampering

    Expected signal: Windows Security Event 4657 (registry value modified); Sysmon Events 12 and 13 (registry key create/value set) for HKLM\SOFTWARE\Policies\Microsoft\Windows Defender; Windows Security Center Event 5001

  4. Test 4Spawn Scripting Engine from Unusual Parent Process

    Expected signal: Sysmon Event 1 showing cmd.exe with ParentImage=powershell.exe; Windows Security Event 4688 chain; command output in process creation logs

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-32202 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0005Defense EvasionTA0004Privilege EscalationTA0002Execution

Related Techniques

T1562.001Disable or Modify ToolsT1548.002Bypass User Account ControlT1055Process InjectionT1134.001Token Impersonation/Theft

Same Tactic: Defense Evasion

Popular Detections