Detect Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498) in Google Chronicle
CVE-2026-45498 is a Denial of Service vulnerability in Microsoft Defender. Exploitation can cause Defender to crash, hang, or become unresponsive, effectively disabling endpoint protection on affected hosts. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this to disable security tooling prior to follow-on intrusion activity.
MITRE ATT&CK
- Tactic
- Defense Evasion Impact
YARA-L Detection Query
rule cve_2026_45498_defender_dos {
meta:
author = "df00tech Detection Engineering"
description = "Detects Microsoft Defender DoS exploitation (CVE-2026-45498) via service disruption events"
severity = "HIGH"
priority = "HIGH"
reference = "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45498"
cve = "CVE-2026-45498"
events:
(
$e.metadata.event_type = "STATUS_UPDATE"
AND (
(
$e.metadata.product_name = "Windows Defender"
AND (
$e.metadata.product_event_type = "5001"
OR $e.metadata.product_event_type = "5007"
OR $e.metadata.product_event_type = "5010"
OR $e.metadata.product_event_type = "5012"
OR $e.metadata.product_event_type = "2004"
)
)
OR (
$e.metadata.product_event_type = "7034"
AND re.regex($e.target.application, `(?i)defender`)
)
OR (
$e.metadata.product_event_type = "7031"
AND re.regex($e.target.application, `(?i)defender`)
)
)
)
$e.principal.hostname = $hostname
match:
$hostname over 1h
condition:
#e >= 2
}Chronicle YARA-L rule detecting repeated Microsoft Defender service disruption events that may indicate active exploitation of CVE-2026-45498. Triggers on two or more Defender disable, crash, or service failure events from the same host within one hour.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled Defender definition updates requiring service restart
- Windows security baseline enforcement tools modifying Defender state
- Enterprise mobile device management applying Defender policy changes
- System reimaging or provisioning workflows
Other platforms for CVE-2026-45498
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Defender Real-Time Protection Disable Event
Expected signal: Windows Defender Operational EventID 5001 (disabled) followed by EventID 5000 (enabled); DeviceEvents ActionType AntivirusDisabled in MDE telemetry
- Test 2Force MsMpEng Process Restart Sequence
Expected signal: System EventLog EventIDs 7036 (service state changed), 7034 (if crash simulated) for WinDefend service; multiple MsMpEng.exe process start events in DeviceProcessEvents
- Test 3Defender Configuration Tampering via Registry
Expected signal: Windows Defender Operational EventID 5007 (configuration changed); registry modification event in DeviceRegistryEvents for HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
- Test 4Generate Windows Error Reporting Artifact for MsMpEng
Expected signal: Process access event against MsMpEng.exe in DeviceEvents (ActionType OpenProcess); file creation event for .dmp file; procdump.exe process creation with MsMpEng PID as argument
Unlock Pro Content
Get the full detection package for CVE-2026-45498 including response playbook, investigation guide, and atomic red team tests.