Which SIEM platforms have a CVE-2026-33825 detection rule?

df00tech provides CVE-2026-33825 (CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2026-33825 detection?

The CVE-2026-33825 detection is rated critical severity with high confidence.

What are common false positives for CVE-2026-33825?

Common false positives for CVE-2026-33825 include: Legitimate IT administrators using approved tooling to manage Defender policy via Group Policy or MDM; Authorized security operations teams running Defender health checks or remediation scripts; Endpoint management platforms (SCCM, Intune, Tanium) modifying Defender configuration as part of policy enforcement.

CVE-2026-33825 IBM QRadar · QRadar

Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in IBM QRadar

Q: What data sources are required to detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation (CVE-2026-33825)?

Detecting CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation requires the following data sources: Microsoft Sentinel, Microsoft Defender for Endpoint, Security Events, DeviceRegistryEvents, DeviceProcessEvents.

Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.

MITRE ATT&CK

Tactic: Defense Evasion Privilege Escalation Persistence

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  QIDNAME(qid) AS event_name,
  categoryname(category) AS category,
  "sourceip" AS src_ip,
  "destinationip" AS dst_ip,
  HOSTNAME AS host,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Target Object" AS target_object,
  magnitude
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon', 'Microsoft Windows Defender')
  AND (
    (eventid IN (5001, 5004, 5007, 5010, 5012, 5013) AND LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Defender')
    OR (eventid IN (4657, 4670) AND ("Object Name" ILIKE '%Windows Defender%' OR "Object Name" ILIKE '%MsMpEng%'))
    OR (
      LOGSOURCETYPENAME(devicetype) = 'Microsoft Sysmon'
      AND eventid IN (1, 13)
      AND (
        ("Process Name" ILIKE '%powershell.exe' AND ("Command" ILIKE '%Set-MpPreference%' OR "Command" ILIKE '%DisableRealtimeMonitoring%' OR "Command" ILIKE '%ExclusionPath%'))
        OR ("Process Name" ILIKE '%sc.exe' AND ("Command" ILIKE '%WinDefend%' OR "Command" ILIKE '%SecurityHealthService%') AND ("Command" ILIKE '%stop%' OR "Command" ILIKE '%disable%'))
        OR ("Process Name" ILIKE '%reg.exe' AND "Command" ILIKE '%Windows Defender%' AND ("Command" ILIKE '% add %' OR "Command" ILIKE '% delete %'))
      )
      AND username NOT ILIKE '%SYSTEM%'
      AND username NOT ILIKE '%TrustedInstaller%'
    )
  )
  AND LAST 24 HOURS
ORDER BY devicetime DESC
LIMIT 500

critical severity medium confidence

QRadar AQL query correlating Windows Defender operational events (protection state changes, config modifications), Security Event Log registry ACL changes targeting Defender keys, and Sysmon process events capturing PowerShell, sc.exe, and reg.exe Defender tampering — collectively indicating CVE-2026-33825 exploitation.

Data Sources

QRadar SIEMWindows Security Event Log DSMMicrosoft Sysmon DSMMicrosoft Defender DSM

Required Tables

events

False Positives & Tuning

Authorized IT administrators managing Defender via approved GPO or scripting frameworks
Enterprise software deployment systems modifying Defender exclusions for line-of-business applications
Security operations teams running scheduled Defender health validation scripts
MDM-driven configuration enforcement generating legitimate Defender policy change events

Other platforms for CVE-2026-33825

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)
Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation
Test 2Add Defender Exclusion Path via PowerShell
Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
Test 3Stop WinDefend Service via sc.exe
Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001
Test 4Modify Defender Registry Key to Disable Antispyware
Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007

Last updated: 2026-06-19 Research depth: standard

References (2)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0005Defense Evasion TA0004Privilege Escalation TA0003Persistence

Related Techniques

T1562.001Disable or Modify Tools T1548Abuse Elevation Control Mechanism T1543.003Windows Service T1112Modify Registry

Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-33825

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-33825

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox