Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in Google Chronicle
Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_33825_defender_access_control_bypass {
meta:
author = "df00tech Detection Engineering"
description = "Detects exploitation of CVE-2026-33825: Microsoft Defender Insufficient Access Control. Monitors Defender tamper events, registry modifications, and process-level bypass attempts."
severity = "CRITICAL"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825"
mitre_attack = "T1562.001, T1548"
cve = "CVE-2026-33825"
rule_version = "1.0"
events:
(
// Windows Defender Operational - Protection disabled or config changed
$e1.metadata.event_type = "PROCESS_UNCATEGORIZED"
and $e1.metadata.product_name = "Microsoft-Windows-Windows Defender"
and $e1.metadata.product_event_type in ("5001", "5004", "5007", "5010", "5012", "5013")
)
or
(
// Registry modification to Defender keys by non-system account
$e1.metadata.event_type = "REGISTRY_MODIFICATION"
and re.regex($e1.target.registry.registry_key, `(?i)(HKLM\\SOFTWARE\\(Policies\\)?Microsoft\\Windows Defender)`)
and not $e1.principal.user.userid in ("S-1-5-18", "S-1-5-19", "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464")
)
or
(
// PowerShell Defender bypass commands
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.principal.process.file.full_path, `(?i)powershell\.exe$`)
and re.regex($e1.target.process.command_line, `(?i)(Set-MpPreference|Add-MpPreference|Remove-MpPreference).*(DisableRealtimeMonitoring|ExclusionPath|ExclusionProcess|DisableBehaviorMonitoring|DisableIOAVProtection)`)
and not $e1.principal.user.userid = "S-1-5-18"
)
or
(
// sc.exe stopping/disabling Defender services
$e1.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($e1.target.process.file.full_path, `(?i)sc\.exe$`)
and re.regex($e1.target.process.command_line, `(?i)(WinDefend|MsMpEng|SecurityHealthService).*(stop|disable|delete|config)`)
and not $e1.principal.user.userid = "S-1-5-18"
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting CVE-2026-33825 Defender access control bypass via Defender operational event monitoring, registry modification detection on Defender configuration keys, and process-level command monitoring for PowerShell and sc.exe tampering.
Data Sources
Required Tables
False Positives & Tuning
- SYSTEM account (S-1-5-18) performing legitimate Defender configuration updates during Windows Update
- Authorized Group Policy processing modifying Defender registry keys from legitimate policy application
- IT helpdesk personnel adding temporary Defender exclusions for software installation via approved change tickets
- Enterprise security tools (CrowdStrike, Carbon Black) adjusting Defender settings for product co-existence
Other platforms for CVE-2026-33825
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)
Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation
- Test 2Add Defender Exclusion Path via PowerShell
Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- Test 3Stop WinDefend Service via sc.exe
Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001
- Test 4Modify Defender Registry Key to Disable Antispyware
Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007
Unlock Pro Content
Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.