Detect Microsoft Defender Denial of Service Vulnerability (CVE-2026-45498) in Splunk
CVE-2026-45498 is a Denial of Service vulnerability in Microsoft Defender. Exploitation can cause Defender to crash, hang, or become unresponsive, effectively disabling endpoint protection on affected hosts. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may leverage this to disable security tooling prior to follow-on intrusion activity.
MITRE ATT&CK
- Tactic
- Defense Evasion Impact
SPL Detection Query
index=wineventlog OR index=sysmon sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational", "WinEventLog:System", "xmlwineventlog")
| eval EventID=coalesce(EventID, event_id)
| where (sourcetype="XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational" AND EventID IN (5001, 5007, 5010, 5012, 1116, 1117, 2004))
OR (sourcetype="WinEventLog:System" AND EventID=7034 AND Message LIKE "%Windows Defender%")
OR (sourcetype="WinEventLog:System" AND EventID=7031 AND Message LIKE "%Windows Defender%")
| eval alert_category=case(
EventID=5001, "Defender Real-Time Protection Disabled",
EventID=5007, "Defender Configuration Changed",
EventID=5010, "Defender Scanning Disabled",
EventID=5012, "Defender On-Access Scans Disabled",
EventID IN (1116, 1117), "Defender Malware Detection",
EventID=2004, "Defender Real-Time Protection Suspended",
EventID=7034, "Defender Service Crashed",
EventID=7031, "Defender Service Failed Unexpectedly",
true(), "Other Defender Event"
)
| stats count AS event_count, values(alert_category) AS categories, min(_time) AS first_seen, max(_time) AS last_seen by host, ComputerName
| where event_count >= 2
| eval duration_secs = last_seen - first_seen
| where duration_secs <= 3600
| sort -event_countDetects Microsoft Defender service disruptions and configuration changes indicative of CVE-2026-45498 exploitation. Correlates Windows Defender Operational log events and System log service failure events for repeated anomalies within a one-hour window.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Scheduled maintenance windows where Defender is administratively disabled
- Windows Update processes temporarily stopping Defender services
- Enterprise security policy changes pushing Defender configuration updates
- Antivirus exclusion changes by administrators triggering configuration change events
- High-load environments where Defender scanning causes repeated resource-related failures
Other platforms for CVE-2026-45498
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Defender Real-Time Protection Disable Event
Expected signal: Windows Defender Operational EventID 5001 (disabled) followed by EventID 5000 (enabled); DeviceEvents ActionType AntivirusDisabled in MDE telemetry
- Test 2Force MsMpEng Process Restart Sequence
Expected signal: System EventLog EventIDs 7036 (service state changed), 7034 (if crash simulated) for WinDefend service; multiple MsMpEng.exe process start events in DeviceProcessEvents
- Test 3Defender Configuration Tampering via Registry
Expected signal: Windows Defender Operational EventID 5007 (configuration changed); registry modification event in DeviceRegistryEvents for HKLM\SOFTWARE\Policies\Microsoft\Windows Defender
- Test 4Generate Windows Error Reporting Artifact for MsMpEng
Expected signal: Process access event against MsMpEng.exe in DeviceEvents (ActionType OpenProcess); file creation event for .dmp file; procdump.exe process creation with MsMpEng PID as argument
Unlock Pro Content
Get the full detection package for CVE-2026-45498 including response playbook, investigation guide, and atomic red team tests.