Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in Elastic Security
Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=10m
[process where event.type == "start" and
(
(process.name : "powershell.exe" and process.command_line : ("*Set-MpPreference*", "*Add-MpPreference*", "*Remove-MpPreference*") and
process.command_line : ("*DisableRealtimeMonitoring*", "*ExclusionPath*", "*ExclusionProcess*", "*DisableBehaviorMonitoring*", "*DisableIOAVProtection*"))
or
(process.name : "sc.exe" and process.command_line : ("*WinDefend*", "*SecurityHealthService*") and process.command_line : ("*stop*", "*disable*", "*config*", "*delete*"))
or
(process.name : "reg.exe" and process.command_line : ("*Windows Defender*") and process.command_line : ("*add*", "*delete*"))
) and
not user.name : ("SYSTEM", "TrustedInstaller")
]
[registry where event.type in ("change", "creation", "deletion") and
registry.path : (
"HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*",
"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\*"
) and
not process.name : ("MsMpEng.exe", "NisSrv.exe", "MpCmdRun.exe", "SecurityHealthService.exe")
]Elastic EQL sequence detecting a process-level Defender tampering command followed within 10 minutes by a registry modification to Defender configuration keys, both initiated by non-system accounts, indicative of CVE-2026-33825 access control bypass.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint management agents (Intune, SCCM) performing policy-driven Defender configuration changes
- Security engineers running authorized Defender hardening or misconfiguration remediation scripts
- Enterprise AV migration tools temporarily disabling Defender protections
Other platforms for CVE-2026-33825
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)
Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation
- Test 2Add Defender Exclusion Path via PowerShell
Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- Test 3Stop WinDefend Service via sc.exe
Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001
- Test 4Modify Defender Registry Key to Disable Antispyware
Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007
Unlock Pro Content
Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.