Which SIEM platforms have a CVE-2026-33825 detection rule?

df00tech provides CVE-2026-33825 (CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2026-33825 detection?

The CVE-2026-33825 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-33825?

Common false positives for CVE-2026-33825 include: Legitimate IT administrators using approved tooling to manage Defender policy via Group Policy or MDM; Authorized security operations teams running Defender health checks or remediation scripts; Endpoint management platforms (SCCM, Intune, Tanium) modifying Defender configuration as part of policy enforcement.

CVE-2026-33825

CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation

Q: What data sources are required to detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation (CVE-2026-33825)?

Detecting CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation requires the following data sources: Microsoft Sentinel, Microsoft Defender for Endpoint, Security Events, DeviceRegistryEvents, DeviceProcessEvents.

Defense Evasion Privilege Escalation Persistence Last updated: June 19, 2026

Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.

Vulnerability Intelligence

KEV — Known Exploited

CVE

CVE-2026-33825↗ NVD

Affected Software

Vendor: Microsoft
Product: Defender

Weakness (CWE)

CWE-1220

Timeline

Disclosed: April 22, 2026

References & Proof of Concept

CVSS

Unscored

Write-up coming soon

What is CVE-2026-33825 CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation?

CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation (CVE-2026-33825) maps to the Defense Evasion and Privilege Escalation and Persistence tactics — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation, covering the data sources and telemetry it touches: Microsoft Sentinel, Microsoft Defender for Endpoint, Security Events, DeviceRegistryEvents, DeviceProcessEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion Privilege Escalation Persistence

Microsoft Sentinel / Defender

kusto

let DefenderTamperEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4657, 4670, 4907)
| where ObjectName has_any ("Windows Defender", "MsMpEng", "WinDefend", "SecurityHealthService")
| where AccessMask in ("0x2", "0x4", "0x20", "0x40");
let DefenderConfigChanges = DeviceRegistryEvents
| where TimeGenerated > ago(24h)
| where RegistryKey has_any (
    "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
    "HKLM\\SOFTWARE\\Microsoft\\Windows Defender"
  )
| where ActionType in ("RegistryValueSet", "RegistryValueDeleted", "RegistryKeyCreated")
| where InitiatingProcessAccountName !in ("SYSTEM", "TrustedInstaller")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "NisSrv.exe", "SecurityHealthService.exe", "MpCmdRun.exe");
let DefenderServiceChanges = DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (FileName =~ "sc.exe" and ProcessCommandLine has_any ("WinDefend", "MsMpEng", "SecurityHealthService") and ProcessCommandLine has_any ("stop", "config", "delete", "disable"))
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-MpPreference", "Add-MpPreference", "Remove-MpPreference", "Disable-WindowsOptionalFeature") and ProcessCommandLine has_any ("-DisableRealtimeMonitoring", "ExclusionPath", "ExclusionProcess", "-DisableIOAVProtection", "-DisableBehaviorMonitoring"))
   or (FileName =~ "reg.exe" and ProcessCommandLine has "Windows Defender" and ProcessCommandLine has_any ("add", "delete"));
union DefenderTamperEvents, DefenderConfigChanges, DefenderServiceChanges
| extend AccountName = coalesce(InitiatingProcessAccountName, SubjectUserName, ""), HostName = coalesce(DeviceName, Computer, "")
| summarize EventCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Commands=make_set(coalesce(ProcessCommandLine, ObjectName, RegistryKey), 20) by AccountName, HostName, bin(TimeGenerated, 5m)
| where EventCount >= 1
| extend AlertTitle = "CVE-2026-33825 - Suspected Defender Access Control Bypass"
| project LastSeen, FirstSeen, AlertTitle, AccountName, HostName, EventCount, Commands

Detects registry modifications, service configuration changes, and PowerShell commands consistent with exploitation of CVE-2026-33825 — bypassing Defender access controls to disable protections or add exclusions without appropriate privileges.

critical severity high confidence

Data Sources

Microsoft Sentinel Microsoft Defender for Endpoint Security Events DeviceRegistryEvents DeviceProcessEvents

Required Tables

SecurityEvent DeviceRegistryEvents DeviceProcessEvents

False Positives

Legitimate IT administrators using approved tooling to manage Defender policy via Group Policy or MDM
Authorized security operations teams running Defender health checks or remediation scripts
Endpoint management platforms (SCCM, Intune, Tanium) modifying Defender configuration as part of policy enforcement
Antivirus migration tools that temporarily disable Defender during third-party AV installation

Splunk

spl

index=wineventlog OR index=sysmon OR index=defender
| eval source_category=case(
    sourcetype="WinEventLog:Security", "security_events",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sysmon",
    sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational", "defender_ops",
    true(), "other"
  )
| where (EventCode IN (5001, 5004, 5007, 5010, 5012, 5013, 3002) AND sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational")
  OR (EventCode IN (4657, 4670) AND (Object_Name LIKE "%Windows Defender%" OR Object_Name LIKE "%MsMpEng%"))
  OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=13 AND TargetObject LIKE "%Windows Defender%" AND (NOT (User="NT AUTHORITY\\SYSTEM" OR User="NT AUTHORITY\\LOCAL SERVICE")))
  OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode IN (1, 11) AND (
       (Image LIKE "%powershell.exe" AND (CommandLine LIKE "%Set-MpPreference%" OR CommandLine LIKE "%DisableRealtimeMonitoring%" OR CommandLine LIKE "%ExclusionPath%"))
    OR (Image LIKE "%sc.exe" AND (CommandLine LIKE "%WinDefend%" OR CommandLine LIKE "%MsMpEng%") AND (CommandLine LIKE "%stop%" OR CommandLine LIKE "%disable%"))
    OR (Image LIKE "%reg.exe" AND CommandLine LIKE "%Windows Defender%" AND (CommandLine LIKE "% add %" OR CommandLine LIKE "% delete %"))
  ))
| eval suspicious_indicator=case(
    EventCode IN (5001, 5004, 5010, 5012, 5013), "Defender_Protection_Disabled",
    EventCode=5007, "Defender_Config_Modified",
    EventCode IN (4657, 4670), "Registry_ACL_Changed",
    CommandLine LIKE "%DisableRealtimeMonitoring%" OR CommandLine LIKE "%ExclusionPath%", "RealTime_Exclusion_Added",
    CommandLine LIKE "%stop%" OR CommandLine LIKE "%disable%", "Defender_Service_Stopped",
    true(), "Unknown_Tamper_Activity"
  )
| eval host_name=coalesce(ComputerName, host, "unknown"), account=coalesce(User, SubjectUserName, "unknown")
| stats count AS event_count, values(suspicious_indicator) AS indicators, min(_time) AS first_seen, max(_time) AS last_seen, values(CommandLine) AS commands BY host_name, account
| where event_count >= 1
| eval alert="CVE-2026-33825 Suspected Defender Access Control Bypass"
| table last_seen, first_seen, alert, host_name, account, event_count, indicators, commands
| sort -last_seen

Splunk query detecting Defender operational log events indicating protection status changes (5001, 5004, 5010-5013), configuration modifications (5007), registry ACL changes, and process-level Defender tampering consistent with CVE-2026-33825 exploitation.

critical severity high confidence

Data Sources

Windows Event Logs Sysmon Microsoft Defender Operational Logs

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Microsoft-Windows-Windows Defender/Operational

False Positives

Group Policy or MDM-enforced Defender configuration changes applied by SYSTEM or TrustedInstaller accounts
Security product migrations where Defender is intentionally disabled before installing an enterprise AV solution
Authorized red team or penetration testing exercises with documented scope
Automated patching workflows that temporarily modify Defender exclusions during software deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  categoryname(category) AS category,
  "sourceip" AS src_ip,
  "destinationip" AS dst_ip,
  HOSTNAME AS host,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Target Object" AS target_object,
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon', 'Microsoft Windows Defender')
  AND (
    (eventid IN (5001, 5004, 5007, 5010, 5012, 5013) AND LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Defender')
    OR (eventid IN (4657, 4670) AND ("Object Name" ILIKE '%Windows Defender%' OR "Object Name" ILIKE '%MsMpEng%'))
    OR (
      LOGSOURCETYPENAME(devicetype) = 'Microsoft Sysmon'
      AND eventid IN (1, 13)
      AND (
        ("Process Name" ILIKE '%powershell.exe' AND ("Command" ILIKE '%Set-MpPreference%' OR "Command" ILIKE '%DisableRealtimeMonitoring%' OR "Command" ILIKE '%ExclusionPath%'))
        OR ("Process Name" ILIKE '%sc.exe' AND ("Command" ILIKE '%WinDefend%' OR "Command" ILIKE '%SecurityHealthService%') AND ("Command" ILIKE '%stop%' OR "Command" ILIKE '%disable%'))
        OR ("Process Name" ILIKE '%reg.exe' AND "Command" ILIKE '%Windows Defender%' AND ("Command" ILIKE '% add %' OR "Command" ILIKE '% delete %'))
      )
      AND username NOT ILIKE '%SYSTEM%'
      AND username NOT ILIKE '%TrustedInstaller%'
    )
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
LIMIT 500

QRadar AQL query correlating Windows Defender operational events (protection state changes, config modifications), Security Event Log registry ACL changes targeting Defender keys, and Sysmon process events capturing PowerShell, sc.exe, and reg.exe Defender tampering — collectively indicating CVE-2026-33825 exploitation.

critical severity medium confidence

Data Sources

QRadar SIEM Windows Security Event Log DSM Microsoft Sysmon DSM Microsoft Defender DSM

Required Tables

events

False Positives

Authorized IT administrators managing Defender via approved GPO or scripting frameworks
Enterprise software deployment systems modifying Defender exclusions for line-of-business applications
Security operations teams running scheduled Defender health validation scripts
MDM-driven configuration enforcement generating legitimate Defender policy change events

Sumo Logic CSE

sql

_sourceCategory=Windows/Security OR _sourceCategory=Windows/Sysmon OR _sourceCategory=Windows/Defender
| parse "EventID=*" as event_id nodrop
| parse "EventCode=*" as event_code nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "TargetObject=*" as target_object nodrop
| parse "User=*" as user_account nodrop
| parse "ComputerName=*" as host_name nodrop
| parse "Process Name: *" as process_name nodrop
| where (
    (event_id in ("5001", "5004", "5007", "5010", "5012", "5013") and _sourceCategory matches "*Defender*")
    or (event_id in ("4657", "4670") and (target_object matches "*Windows Defender*" or target_object matches "*MsMpEng*"))
    or (
      _sourceCategory matches "*Sysmon*"
      and event_id in ("1", "13")
      and (
        (command_line matches "*Set-MpPreference*" or command_line matches "*DisableRealtimeMonitoring*" or command_line matches "*ExclusionPath*")
        or (command_line matches "*WinDefend*" and (command_line matches "*stop*" or command_line matches "*disable*"))
        or (command_line matches "*Windows Defender*" and command_line matches "*reg.exe*")
      )
      and !(user_account matches "*SYSTEM*" or user_account matches "*TrustedInstaller*")
    )
  )
| eval indicator = if(event_id in ("5001","5004","5010","5012","5013"), "Defender_Disabled",
    if(event_id = "5007", "Config_Modified",
    if(event_id in ("4657","4670"), "Registry_ACL_Changed",
    if(command_line matches "*ExclusionPath*" or command_line matches "*DisableRealtimeMonitoring*", "Exclusion_or_RT_Modified",
    "Tamper_Detected"))))
| count as event_count, values(indicator) as indicators, first(host_name) as host by user_account, host_name, _sourceCategory
| where event_count >= 1
| sort by event_count desc

Sumo Logic query parsing Windows Defender operational events, Security Event Log registry ACL modifications, and Sysmon process telemetry to identify Defender access control bypass activity consistent with CVE-2026-33825.

critical severity medium confidence

Data Sources

Sumo Logic Hosted Collector Windows Security Event Log Sysmon Windows Defender Operational Log

False Positives

IT operations teams legitimately modifying Defender via PowerShell for compliance or configuration management
Endpoint detection and response (EDR) platforms adjusting Defender settings for co-existence
Software deployment pipelines adding Defender exclusions for packaged applications
Security auditing scripts that enumerate current Defender configuration without making changes

Google Chronicle / SecOps

yaral

rule cve_2026_33825_defender_access_control_bypass {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects exploitation of CVE-2026-33825: Microsoft Defender Insufficient Access Control. Monitors Defender tamper events, registry modifications, and process-level bypass attempts."
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825"
    mitre_attack = "T1562.001, T1548"
    cve = "CVE-2026-33825"
    rule_version = "1.0"

  events:
    (
      // Windows Defender Operational - Protection disabled or config changed
      $e1.metadata.event_type = "PROCESS_UNCATEGORIZED"
      and $e1.metadata.product_name = "Microsoft-Windows-Windows Defender"
      and $e1.metadata.product_event_type in ("5001", "5004", "5007", "5010", "5012", "5013")
    )
    or
    (
      // Registry modification to Defender keys by non-system account
      $e1.metadata.event_type = "REGISTRY_MODIFICATION"
      and re.regex($e1.target.registry.registry_key, `(?i)(HKLM\\SOFTWARE\\(Policies\\)?Microsoft\\Windows Defender)`)
      and not $e1.principal.user.userid in ("S-1-5-18", "S-1-5-19", "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464")
    )
    or
    (
      // PowerShell Defender bypass commands
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.principal.process.file.full_path, `(?i)powershell\.exe$`)
      and re.regex($e1.target.process.command_line, `(?i)(Set-MpPreference|Add-MpPreference|Remove-MpPreference).*(DisableRealtimeMonitoring|ExclusionPath|ExclusionProcess|DisableBehaviorMonitoring|DisableIOAVProtection)`)
      and not $e1.principal.user.userid = "S-1-5-18"
    )
    or
    (
      // sc.exe stopping/disabling Defender services
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)sc\.exe$`)
      and re.regex($e1.target.process.command_line, `(?i)(WinDefend|MsMpEng|SecurityHealthService).*(stop|disable|delete|config)`)
      and not $e1.principal.user.userid = "S-1-5-18"
    )

  condition:
    $e1
}

Chronicle YARA-L 2.0 rule detecting CVE-2026-33825 Defender access control bypass via Defender operational event monitoring, registry modification detection on Defender configuration keys, and process-level command monitoring for PowerShell and sc.exe tampering.

critical severity high confidence

Data Sources

Google Chronicle SIEM Windows Event Logs ingested via Chronicle forwarder Sysmon via Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH, REGISTRY_MODIFICATION, PROCESS_UNCATEGORIZED)

False Positives

SYSTEM account (S-1-5-18) performing legitimate Defender configuration updates during Windows Update
Authorized Group Policy processing modifying Defender registry keys from legitimate policy application
IT helpdesk personnel adding temporary Defender exclusions for software installation via approved change tickets
Enterprise security tools (CrowdStrike, Carbon Black) adjusting Defender settings for product co-existence

CrowdStrike LogScale (CQL)

cql

#event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2, RegistryOperationDetectInfo, DirectoryOperationDetectInfo)
| case {
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2):
      ImageFileName LIKE~ "%powershell.exe"
      AND CommandLine LIKE~ "%Set-MpPreference%"
      AND (
        CommandLine LIKE~ "%DisableRealtimeMonitoring%"
        OR CommandLine LIKE~ "%ExclusionPath%"
        OR CommandLine LIKE~ "%ExclusionProcess%"
        OR CommandLine LIKE~ "%DisableBehaviorMonitoring%"
        OR CommandLine LIKE~ "%DisableIOAVProtection%"
      )
      AND UserIsAdmin != "1";
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2):
      ImageFileName LIKE~ "%sc.exe"
      AND CommandLine LIKE~ "%WinDefend%"
      AND (
        CommandLine LIKE~ "%stop%"
        OR CommandLine LIKE~ "%disable%"
        OR CommandLine LIKE~ "%delete%"
      )
      AND UserSid != "S-1-5-18";
    #event_simpleName = "RegistryOperationDetectInfo":
      RegObjectName LIKE~ "%Windows Defender%"
      AND RegOperationType IN ("CREATE", "SET", "DELETE")
      AND UserSid NOT IN ("S-1-5-18", "S-1-5-19") ;
  }
| eval TamperType = case(
    ImageFileName LIKE~ "%powershell.exe" AND CommandLine LIKE~ "%Set-MpPreference%", "PowerShell_Defender_Config_Change",
    ImageFileName LIKE~ "%sc.exe", "Service_Stop_Disable",
    #event_simpleName = "RegistryOperationDetectInfo", "Registry_Tamper",
    true(), "Unknown"
  )
| stats count() AS EventCount, values(CommandLine) AS Commands, values(RegObjectName) AS RegistryTargets, values(TamperType) AS TamperTypes, min(timestamp) AS FirstSeen, max(timestamp) AS LastSeen BY aid, UserName, ComputerName
| where EventCount >= 1
| sort -LastSeen

CrowdStrike Falcon LogScale (CQL) query detecting Defender tamper activity via process events (PowerShell Set-MpPreference abuse, sc.exe service manipulation) and registry modification events targeting Windows Defender configuration keys, consistent with CVE-2026-33825 access control bypass.

critical severity high confidence

Data Sources

CrowdStrike Falcon CrowdStrike Falcon LogScale CrowdStrike EDR Process Events CrowdStrike Registry Events

Required Tables

ProcessRollup2 SyntheticProcessRollup2 RegistryOperationDetectInfo

False Positives

CrowdStrike Falcon sensor itself adjusting Defender settings for co-existence during initial deployment
IT administrators with elevated privileges performing authorized Defender policy remediation
MDM-enrolled endpoints receiving Defender configuration policy pushes from Intune or SCCM
Automated vulnerability remediation scripts legitimately reconfiguring Defender after patch application

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation (CVE-2026-33825) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-33825 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-33825

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-06-19 Research depth: standard

References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)
Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation
Test 2Add Defender Exclusion Path via PowerShell
Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Test 3Stop WinDefend Service via sc.exe
Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001
Test 4Modify Defender Registry Key to Disable Antispyware
Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0005Defense Evasion TA0004Privilege Escalation TA0003Persistence

Related Techniques

T1562.001Disable or Modify Tools T1548Abuse Elevation Control Mechanism T1543.003Windows Service T1112Modify Registry

Vulnerability Intelligence

CVE

Affected Software

Weakness (CWE)

Timeline

References & Proof of Concept

CVSS

What is CVE-2026-33825 CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for CVE-2026-33825

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox