Which SIEM platforms have a CVE-2026-33825 detection rule?

df00tech provides CVE-2026-33825 (CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2026-33825 detection?

The CVE-2026-33825 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-33825?

Common false positives for CVE-2026-33825 include: Legitimate IT administrators using approved tooling to manage Defender policy via Group Policy or MDM; Authorized security operations teams running Defender health checks or remediation scripts; Endpoint management platforms (SCCM, Intune, Tanium) modifying Defender configuration as part of policy enforcement.

CVE-2026-33825 CrowdStrike LogScale · LogScale

Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in CrowdStrike LogScale

Q: What data sources are required to detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation (CVE-2026-33825)?

Detecting CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation requires the following data sources: Microsoft Sentinel, Microsoft Defender for Endpoint, Security Events, DeviceRegistryEvents, DeviceProcessEvents.

Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.

MITRE ATT&CK

Tactic: Defense Evasion Privilege Escalation Persistence

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

#event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2, RegistryOperationDetectInfo, DirectoryOperationDetectInfo)
| case {
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2):
      ImageFileName LIKE~ "%powershell.exe"
      AND CommandLine LIKE~ "%Set-MpPreference%"
      AND (
        CommandLine LIKE~ "%DisableRealtimeMonitoring%"
        OR CommandLine LIKE~ "%ExclusionPath%"
        OR CommandLine LIKE~ "%ExclusionProcess%"
        OR CommandLine LIKE~ "%DisableBehaviorMonitoring%"
        OR CommandLine LIKE~ "%DisableIOAVProtection%"
      )
      AND UserIsAdmin != "1";
    #event_simpleName IN (ProcessRollup2, SyntheticProcessRollup2):
      ImageFileName LIKE~ "%sc.exe"
      AND CommandLine LIKE~ "%WinDefend%"
      AND (
        CommandLine LIKE~ "%stop%"
        OR CommandLine LIKE~ "%disable%"
        OR CommandLine LIKE~ "%delete%"
      )
      AND UserSid != "S-1-5-18";
    #event_simpleName = "RegistryOperationDetectInfo":
      RegObjectName LIKE~ "%Windows Defender%"
      AND RegOperationType IN ("CREATE", "SET", "DELETE")
      AND UserSid NOT IN ("S-1-5-18", "S-1-5-19") ;
  }
| eval TamperType = case(
    ImageFileName LIKE~ "%powershell.exe" AND CommandLine LIKE~ "%Set-MpPreference%", "PowerShell_Defender_Config_Change",
    ImageFileName LIKE~ "%sc.exe", "Service_Stop_Disable",
    #event_simpleName = "RegistryOperationDetectInfo", "Registry_Tamper",
    true(), "Unknown"
  )
| stats count() AS EventCount, values(CommandLine) AS Commands, values(RegObjectName) AS RegistryTargets, values(TamperType) AS TamperTypes, min(timestamp) AS FirstSeen, max(timestamp) AS LastSeen BY aid, UserName, ComputerName
| where EventCount >= 1
| sort -LastSeen

critical severity high confidence

CrowdStrike Falcon LogScale (CQL) query detecting Defender tamper activity via process events (PowerShell Set-MpPreference abuse, sc.exe service manipulation) and registry modification events targeting Windows Defender configuration keys, consistent with CVE-2026-33825 access control bypass.

Data Sources

CrowdStrike FalconCrowdStrike Falcon LogScaleCrowdStrike EDR Process EventsCrowdStrike Registry Events

Required Tables

ProcessRollup2SyntheticProcessRollup2RegistryOperationDetectInfo

False Positives & Tuning

CrowdStrike Falcon sensor itself adjusting Defender settings for co-existence during initial deployment
IT administrators with elevated privileges performing authorized Defender policy remediation
MDM-enrolled endpoints receiving Defender configuration policy pushes from Intune or SCCM
Automated vulnerability remediation scripts legitimately reconfiguring Defender after patch application

Other platforms for CVE-2026-33825

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)
Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation
Test 2Add Defender Exclusion Path via PowerShell
Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Test 3Stop WinDefend Service via sc.exe
Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001
Test 4Modify Defender Registry Key to Disable Antispyware
Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007

Last updated: 2026-06-19 Research depth: standard

References (2)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0005Defense Evasion TA0004Privilege Escalation TA0003Persistence

Related Techniques

T1562.001Disable or Modify Tools T1548Abuse Elevation Control Mechanism T1543.003Windows Service T1112Modify Registry

Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-33825

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-33825

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox