CVE-2026-41091 IBM QRadar · QRadar

Detect Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091) in IBM QRadar

Detects exploitation of CVE-2026-41091, a link-following vulnerability (CWE-59) in Microsoft Defender that allows attackers to follow symbolic links or junction points to access or overwrite privileged files. This vulnerability is actively exploited in the wild (CISA KEV) and can lead to privilege escalation or arbitrary file manipulation in the context of the Defender service.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "processname",
  "filename",
  "filepath",
  "commandline",
  CATEGORYNAME(category) AS event_category
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (eventid IN (4656, 4663)
      AND LOWER("filepath") MATCHES '.*\\(programdata\\microsoft\\windows defender|program files\\windows defender).*'
      AND LOWER("processname") MATCHES '.*(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe).*')
    OR
    (eventid IN (1, 4688)
      AND LOWER("commandline") MATCHES '.*(mklink|junction|symlink).*'
      AND LOWER("commandline") MATCHES '.*(windows defender|windefend).*')
  )
  AND DATEFORMAT(devicetime, 'yyyy-MM-dd') >= DATEADD('day', -7, NOW())
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting file access events and symlink/junction commands targeting Microsoft Defender paths, consistent with CVE-2026-41091 link-following exploitation.

Data Sources

Windows Security Event LogMicrosoft Sysmon via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Scheduled Defender definition update tasks
  • Microsoft Endpoint Configuration Manager managing Defender settings
  • Helpdesk tools accessing Defender logs for troubleshooting
  • Vulnerability scanners enumerating installed security software

Other platforms for CVE-2026-41091

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Symlink Targeting Defender Definitions Directory

    Expected signal: Sysmon Event ID 11 with TargetFilename=C:\Users\Public\DefenderLink and Image=cmd.exe; Windows Security Event 4663 if object auditing is enabled for the Defender directory

  2. Test 2Junction Point Creation via mklink Referencing Defender Support Logs

    Expected signal: Process creation event for cmd.exe with CommandLine containing 'mklink /J' and 'Windows Defender'; Sysmon Event ID 1 capturing the full command line

  3. Test 3PowerShell-Based Symlink Creation Targeting Defender Quarantine

    Expected signal: Sysmon Event ID 1 with Image=powershell.exe and CommandLine referencing mklink and Windows Defender Quarantine path; parent-child chain of powershell.exe → cmd.exe visible in process tree

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-41091 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense Evasion

Related Techniques

T1574Hijack Execution FlowT1548Abuse Elevation Control MechanismT1562.001Disable or Modify Tools

Same Tactic: Privilege Escalation

Popular Detections