Detect Microsoft Defender Link Following Privilege Escalation (CVE-2026-41091) in Splunk
Detects exploitation of CVE-2026-41091, a link-following vulnerability (CWE-59) in Microsoft Defender that allows attackers to follow symbolic links or junction points to access or overwrite privileged files. This vulnerability is actively exploited in the wild (CISA KEV) and can lead to privilege escalation or arbitrary file manipulation in the context of the Defender service.
MITRE ATT&CK
SPL Detection Query
index=wineventlog OR index=sysmon sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval defender_path_match=if(match(Object_Name, "(?i)(ProgramData\\\\Microsoft\\\\Windows Defender|Program Files\\\\Windows Defender)") OR match(TargetFilename, "(?i)(ProgramData\\\\Microsoft\\\\Windows Defender|Program Files\\\\Windows Defender)"), 1, 0)
| eval suspicious_proc=if(match(lower(coalesce(Process_Name, Image)), "(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe)"), 1, 0)
| where (EventCode IN (4656, 4663) AND defender_path_match=1 AND suspicious_proc=1)
OR (EventCode=1 AND suspicious_proc=1 AND defender_path_match=1)
OR (EventCode=11 AND defender_path_match=1 AND suspicious_proc=1)
OR (EventCode IN (4688) AND match(CommandLine, "(?i)(mklink|junction|symlink)") AND defender_path_match=1)
| eval alert_detail="CVE-2026-41091: Suspicious link/file op in Defender path by " + coalesce(SubjectUserName, User, "-")
| stats count min(_time) as first_seen max(_time) as last_seen values(CommandLine) as commands values(Object_Name) as target_paths by Computer, SubjectUserName, Process_Name, alert_detail
| where count >= 1
| sort - last_seenDetects suspicious processes creating symlinks, junctions, or accessing Microsoft Defender paths in a manner consistent with CVE-2026-41091 link-following exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Defender signature update processes
- Windows Update touching Defender components during patch cycles
- Security tooling that inspects Defender directories for audit purposes
- IT automation scripts managing Defender exclusions via command line
Other platforms for CVE-2026-41091
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Symlink Targeting Defender Definitions Directory
Expected signal: Sysmon Event ID 11 with TargetFilename=C:\Users\Public\DefenderLink and Image=cmd.exe; Windows Security Event 4663 if object auditing is enabled for the Defender directory
- Test 2Junction Point Creation via mklink Referencing Defender Support Logs
Expected signal: Process creation event for cmd.exe with CommandLine containing 'mklink /J' and 'Windows Defender'; Sysmon Event ID 1 capturing the full command line
- Test 3PowerShell-Based Symlink Creation Targeting Defender Quarantine
Expected signal: Sysmon Event ID 1 with Image=powershell.exe and CommandLine referencing mklink and Windows Defender Quarantine path; parent-child chain of powershell.exe → cmd.exe visible in process tree
Unlock Pro Content
Get the full detection package for CVE-2026-41091 including response playbook, investigation guide, and atomic red team tests.