CVE-2026-33825 Microsoft Sentinel · KQL

Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in Microsoft Sentinel

Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation Persistence

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let DefenderTamperEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4657, 4670, 4907)
| where ObjectName has_any ("Windows Defender", "MsMpEng", "WinDefend", "SecurityHealthService")
| where AccessMask in ("0x2", "0x4", "0x20", "0x40");
let DefenderConfigChanges = DeviceRegistryEvents
| where TimeGenerated > ago(24h)
| where RegistryKey has_any (
    "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender",
    "HKLM\\SOFTWARE\\Microsoft\\Windows Defender"
  )
| where ActionType in ("RegistryValueSet", "RegistryValueDeleted", "RegistryKeyCreated")
| where InitiatingProcessAccountName !in ("SYSTEM", "TrustedInstaller")
| where InitiatingProcessFileName !in~ ("MsMpEng.exe", "NisSrv.exe", "SecurityHealthService.exe", "MpCmdRun.exe");
let DefenderServiceChanges = DeviceProcessEvents
| where TimeGenerated > ago(24h)
| where (FileName =~ "sc.exe" and ProcessCommandLine has_any ("WinDefend", "MsMpEng", "SecurityHealthService") and ProcessCommandLine has_any ("stop", "config", "delete", "disable"))
   or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-MpPreference", "Add-MpPreference", "Remove-MpPreference", "Disable-WindowsOptionalFeature") and ProcessCommandLine has_any ("-DisableRealtimeMonitoring", "ExclusionPath", "ExclusionProcess", "-DisableIOAVProtection", "-DisableBehaviorMonitoring"))
   or (FileName =~ "reg.exe" and ProcessCommandLine has "Windows Defender" and ProcessCommandLine has_any ("add", "delete"));
union DefenderTamperEvents, DefenderConfigChanges, DefenderServiceChanges
| extend AccountName = coalesce(InitiatingProcessAccountName, SubjectUserName, ""), HostName = coalesce(DeviceName, Computer, "")
| summarize EventCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), Commands=make_set(coalesce(ProcessCommandLine, ObjectName, RegistryKey), 20) by AccountName, HostName, bin(TimeGenerated, 5m)
| where EventCount >= 1
| extend AlertTitle = "CVE-2026-33825 - Suspected Defender Access Control Bypass"
| project LastSeen, FirstSeen, AlertTitle, AccountName, HostName, EventCount, Commands
critical severity high confidence

Detects registry modifications, service configuration changes, and PowerShell commands consistent with exploitation of CVE-2026-33825 — bypassing Defender access controls to disable protections or add exclusions without appropriate privileges.

Data Sources

Microsoft SentinelMicrosoft Defender for EndpointSecurity EventsDeviceRegistryEventsDeviceProcessEvents

Required Tables

SecurityEventDeviceRegistryEventsDeviceProcessEvents

False Positives & Tuning

  • Legitimate IT administrators using approved tooling to manage Defender policy via Group Policy or MDM
  • Authorized security operations teams running Defender health checks or remediation scripts
  • Endpoint management platforms (SCCM, Intune, Tanium) modifying Defender configuration as part of policy enforcement
  • Antivirus migration tools that temporarily disable Defender during third-party AV installation

Other platforms for CVE-2026-33825

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)

    Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation

  2. Test 2Add Defender Exclusion Path via PowerShell

    Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

  3. Test 3Stop WinDefend Service via sc.exe

    Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001

  4. Test 4Modify Defender Registry Key to Disable Antispyware

    Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0005Defense EvasionTA0004Privilege EscalationTA0003Persistence

Related Techniques

T1562.001Disable or Modify ToolsT1548Abuse Elevation Control MechanismT1543.003Windows ServiceT1112Modify Registry

Same Tactic: Defense Evasion

Popular Detections