Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in Splunk
Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.
MITRE ATT&CK
SPL Detection Query
index=wineventlog OR index=sysmon OR index=defender
| eval source_category=case(
sourcetype="WinEventLog:Security", "security_events",
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "sysmon",
sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational", "defender_ops",
true(), "other"
)
| where (EventCode IN (5001, 5004, 5007, 5010, 5012, 5013, 3002) AND sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational")
OR (EventCode IN (4657, 4670) AND (Object_Name LIKE "%Windows Defender%" OR Object_Name LIKE "%MsMpEng%"))
OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode=13 AND TargetObject LIKE "%Windows Defender%" AND (NOT (User="NT AUTHORITY\\SYSTEM" OR User="NT AUTHORITY\\LOCAL SERVICE")))
OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode IN (1, 11) AND (
(Image LIKE "%powershell.exe" AND (CommandLine LIKE "%Set-MpPreference%" OR CommandLine LIKE "%DisableRealtimeMonitoring%" OR CommandLine LIKE "%ExclusionPath%"))
OR (Image LIKE "%sc.exe" AND (CommandLine LIKE "%WinDefend%" OR CommandLine LIKE "%MsMpEng%") AND (CommandLine LIKE "%stop%" OR CommandLine LIKE "%disable%"))
OR (Image LIKE "%reg.exe" AND CommandLine LIKE "%Windows Defender%" AND (CommandLine LIKE "% add %" OR CommandLine LIKE "% delete %"))
))
| eval suspicious_indicator=case(
EventCode IN (5001, 5004, 5010, 5012, 5013), "Defender_Protection_Disabled",
EventCode=5007, "Defender_Config_Modified",
EventCode IN (4657, 4670), "Registry_ACL_Changed",
CommandLine LIKE "%DisableRealtimeMonitoring%" OR CommandLine LIKE "%ExclusionPath%", "RealTime_Exclusion_Added",
CommandLine LIKE "%stop%" OR CommandLine LIKE "%disable%", "Defender_Service_Stopped",
true(), "Unknown_Tamper_Activity"
)
| eval host_name=coalesce(ComputerName, host, "unknown"), account=coalesce(User, SubjectUserName, "unknown")
| stats count AS event_count, values(suspicious_indicator) AS indicators, min(_time) AS first_seen, max(_time) AS last_seen, values(CommandLine) AS commands BY host_name, account
| where event_count >= 1
| eval alert="CVE-2026-33825 Suspected Defender Access Control Bypass"
| table last_seen, first_seen, alert, host_name, account, event_count, indicators, commands
| sort -last_seenSplunk query detecting Defender operational log events indicating protection status changes (5001, 5004, 5010-5013), configuration modifications (5007), registry ACL changes, and process-level Defender tampering consistent with CVE-2026-33825 exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Group Policy or MDM-enforced Defender configuration changes applied by SYSTEM or TrustedInstaller accounts
- Security product migrations where Defender is intentionally disabled before installing an enterprise AV solution
- Authorized red team or penetration testing exercises with documented scope
- Automated patching workflows that temporarily modify Defender exclusions during software deployment
Other platforms for CVE-2026-33825
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)
Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation
- Test 2Add Defender Exclusion Path via PowerShell
Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- Test 3Stop WinDefend Service via sc.exe
Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001
- Test 4Modify Defender Registry Key to Disable Antispyware
Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007
Unlock Pro Content
Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.