CVE-2026-33825 Sumo Logic CSE · Sumo

Detect CVE-2026-33825 - Microsoft Defender Insufficient Access Control Exploitation in Sumo Logic CSE

Detects exploitation attempts targeting CVE-2026-33825, an insufficient granularity of access control vulnerability (CWE-1220) in Microsoft Defender. This KEV-listed vulnerability allows attackers to bypass Defender access controls, potentially disabling protections, modifying exclusions, or tampering with security configurations without appropriate privilege levels.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation Persistence

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=Windows/Security OR _sourceCategory=Windows/Sysmon OR _sourceCategory=Windows/Defender
| parse "EventID=*" as event_id nodrop
| parse "EventCode=*" as event_code nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "TargetObject=*" as target_object nodrop
| parse "User=*" as user_account nodrop
| parse "ComputerName=*" as host_name nodrop
| parse "Process Name: *" as process_name nodrop
| where (
    (event_id in ("5001", "5004", "5007", "5010", "5012", "5013") and _sourceCategory matches "*Defender*")
    or (event_id in ("4657", "4670") and (target_object matches "*Windows Defender*" or target_object matches "*MsMpEng*"))
    or (
      _sourceCategory matches "*Sysmon*"
      and event_id in ("1", "13")
      and (
        (command_line matches "*Set-MpPreference*" or command_line matches "*DisableRealtimeMonitoring*" or command_line matches "*ExclusionPath*")
        or (command_line matches "*WinDefend*" and (command_line matches "*stop*" or command_line matches "*disable*"))
        or (command_line matches "*Windows Defender*" and command_line matches "*reg.exe*")
      )
      and !(user_account matches "*SYSTEM*" or user_account matches "*TrustedInstaller*")
    )
  )
| eval indicator = if(event_id in ("5001","5004","5010","5012","5013"), "Defender_Disabled",
    if(event_id = "5007", "Config_Modified",
    if(event_id in ("4657","4670"), "Registry_ACL_Changed",
    if(command_line matches "*ExclusionPath*" or command_line matches "*DisableRealtimeMonitoring*", "Exclusion_or_RT_Modified",
    "Tamper_Detected"))))
| count as event_count, values(indicator) as indicators, first(host_name) as host by user_account, host_name, _sourceCategory
| where event_count >= 1
| sort by event_count desc
critical severity medium confidence

Sumo Logic query parsing Windows Defender operational events, Security Event Log registry ACL modifications, and Sysmon process telemetry to identify Defender access control bypass activity consistent with CVE-2026-33825.

Data Sources

Sumo Logic Hosted CollectorWindows Security Event LogSysmonWindows Defender Operational Log

False Positives & Tuning

  • IT operations teams legitimately modifying Defender via PowerShell for compliance or configuration management
  • Endpoint detection and response (EDR) platforms adjusting Defender settings for co-existence
  • Software deployment pipelines adding Defender exclusions for packaged applications
  • Security auditing scripts that enumerate current Defender configuration without making changes

Other platforms for CVE-2026-33825

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Disable Defender Real-Time Monitoring via PowerShell (CVE-2026-33825 Simulation)

    Expected signal: Sysmon EventID 1 (process creation) for powershell.exe with CommandLine containing Set-MpPreference and DisableRealtimeMonitoring; Windows Defender Operational EventID 5001 (real-time protection disabled); DeviceProcessEvents in MDE showing the PowerShell invocation

  2. Test 2Add Defender Exclusion Path via PowerShell

    Expected signal: Sysmon EventID 1 for powershell.exe with Add-MpPreference and ExclusionPath in CommandLine; Defender Operational EventID 5007 (configuration changed) with new exclusion path; registry modification to HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

  3. Test 3Stop WinDefend Service via sc.exe

    Expected signal: Sysmon EventID 1 (process creation) for sc.exe with CommandLine 'sc stop WinDefend'; Windows System EventID 7036 (WinDefend service stopped); Security EventID 4689 (process exit) for MsMpEng.exe if service fully stops; Defender Operational EventID 5001

  4. Test 4Modify Defender Registry Key to Disable Antispyware

    Expected signal: Sysmon EventID 13 (registry value set) with TargetObject HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware and Details=DWORD (0x00000001); Security EventID 4657 for registry write to Defender policy key; Defender Operational EventID 5007

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-33825 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0005Defense EvasionTA0004Privilege EscalationTA0003Persistence

Related Techniques

T1562.001Disable or Modify ToolsT1548Abuse Elevation Control MechanismT1543.003Windows ServiceT1112Modify Registry

Same Tactic: Defense Evasion

Popular Detections