CVE-2026-45498 IBM QRadar · QRadar

Detect Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498) in IBM QRadar

CVE-2026-45498 is a Denial of Service vulnerability in Microsoft Defender. Exploitation can cause Defender to crash, hang, or become unresponsive, effectively disabling endpoint protection on affected hosts. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this to disable security tooling prior to follow-on intrusion activity.

MITRE ATT&CK

Tactic
Defense Evasion Impact

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "destinationip",
  username,
  QIDNAME(qid) AS event_name,
  eventcount,
  CATEGORYNAME(category) AS category_name,
  "devicehostname"
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE '%Windows%'
  AND (
    (QIDNAME(qid) ILIKE '%Defender%' AND (QIDNAME(qid) ILIKE '%disabled%' OR QIDNAME(qid) ILIKE '%stopped%' OR QIDNAME(qid) ILIKE '%crashed%' OR QIDNAME(qid) ILIKE '%failed%'))
    OR ("EventID" IN ('5001', '5007', '5010', '5012', '2004', '7034', '7031') AND QIDNAME(qid) ILIKE '%Defender%')
  )
  AND LOGSOURCETYPENAME(logsourceid) NOT ILIKE '%firewall%'
  AND starttime > NOW() - 86400 SECONDS
ORDER BY starttime DESC
LIMIT 500
high severity low confidence

QRadar AQL query to identify Microsoft Defender service disruptions and configuration changes that may indicate CVE-2026-45498 exploitation. Queries Windows log sources for Defender-related stop, crash, disable, and configuration change events.

Data Sources

IBM QRadarWindows Security Event Log via WinCollectMicrosoft Windows DSM

Required Tables

events

False Positives & Tuning

  • Planned maintenance windows for Defender updates
  • Software deployment tools performing security baseline enforcement
  • Windows Update service interactions with Defender components
  • Security policy push from Group Policy Objects modifying Defender settings

Other platforms for CVE-2026-45498

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Defender Real-Time Protection Disable Event

    Expected signal: Windows Defender Operational EventID 5001 (disabled) followed by EventID 5000 (enabled); DeviceEvents ActionType AntivirusDisabled in MDE telemetry

  2. Test 2Force MsMpEng Process Restart Sequence

    Expected signal: System EventLog EventIDs 7036 (service state changed), 7034 (if crash simulated) for WinDefend service; multiple MsMpEng.exe process start events in DeviceProcessEvents

  3. Test 3Defender Configuration Tampering via Registry

    Expected signal: Windows Defender Operational EventID 5007 (configuration changed); registry modification event in DeviceRegistryEvents for HKLM\SOFTWARE\Policies\Microsoft\Windows Defender

  4. Test 4Generate Windows Error Reporting Artifact for MsMpEng

    Expected signal: Process access event against MsMpEng.exe in DeviceEvents (ActionType OpenProcess); file creation event for .dmp file; procdump.exe process creation with MsMpEng PID as argument

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-45498 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0005Defense EvasionTA0040Impact

Related Techniques

T1562.001Disable or Modify ToolsT1499Endpoint Denial of ServiceT1036Masquerading

Same Tactic: Defense Evasion

Popular Detections