KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2026 21510 Windows Shell Security Feature Bypass

Query

# *CVE-2026-21510 - Windows Shell Security Feature Bypass*
## *EXPERIMENTAL*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
|  |  | |
|  |  | |

#### Description


#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- 


## Defender XDR
```KQL
// ============================================================
// CVE-2026-21510 - Windows Shell Security Feature Bypass
// ============================================================
// --- Configuration ---
let LookbackPeriod      = 7d;
let NetworkSpawnWindow    = 2m;
let InternalIPRange       = "147.86.0.0/16";
let ExcludedCLIPatterns = dynamic([
    @"C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts\",
    @"C:\Program Files (x86)\Citavi 6\Pickers\Chrome\ChromePickerBroker.exe",
    @"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection"
]);
let ExcludedFolderPaths = dynamic([
    @"C:\Users\Public\Desktop",
    @"C:\ProgramData\Microsoft\Windows\Start Menu",
    @"C:\Windows\System32",
    @"C:\Program Files",
    @"C:\Program Files (x86)",
    @"C:\Windows\WinSxS"
]);
// --- Vulnerable Devices from TVM ---
let VulnerableDevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-21510"
| distinct DeviceName;
let TvmContext = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-21510"
| project DeviceName, OSPlatform, OSVersion, SoftwareName, SoftwareVersion, 
          VulnerabilitySeverityLevel, RecommendedSecurityUpdate;
// ============================================================
// Detection 1: Suspicious LNK/URL/SCF Shell Execution
// ============================================================
let LnkExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (VulnerableDevices)
| where InitiatingProcessFileName in~ ("explorer.exe","cmd.exe","powershell.exe","wscript.exe","mshta.exe")
| where ProcessCommandLine has_any (".lnk",".url",".scf") or InitiatingProcessCommandLine has_any (".lnk",".url",".scf")
| where not(FolderPath has_any (ExcludedFolderPaths))
| extend RiskLevel = case(
    ProcessCommandLine has_any ("powershell","cmd","wscript","cscript") and FolderPath has_any ("Temp","Downloads"), "High - Script from user directory",
    ProcessCommandLine has_any ("powershell","cmd","wscript","cscript"), "Medium - Shell script via link",
    FolderPath has_any ("Temp","Downloads"), "Medium - Link from user directory",
    "Low"
  )
| where RiskLevel != "Low"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, CommandLine = ProcessCommandLine, FolderPath, DetectionSource = "LNK/Shell Execution", RiskLevel, RemoteIP = "";
// ============================================================
// Detection 2: MotW / SmartScreen Bypass
// ============================================================
let MotWBypass = DeviceFileEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (VulnerableDevices)
| where FileName endswith ".lnk" or FileName endswith ".url"
| where (isnotempty(FileOriginUrl) and FileOriginUrl startswith "http") or AdditionalFields has "ZoneId=3"
| where InitiatingProcessFileName in~ ("msedge.exe","chrome.exe","firefox.exe","outlook.exe","winmail.exe")
| project DeviceName, DownloadTime = Timestamp, FileName, FileOriginUrl, BrowserProcessId = InitiatingProcessId
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(LookbackPeriod)
    | where DeviceName in (VulnerableDevices)
    | where FileName in~ ("wscript.exe","cscript.exe","powershell.exe","mshta.exe","rundll32.exe")
    | project DeviceName, AccountName, SpawnTime = Timestamp, CommandLine = ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentProcessId = InitiatingProcessId
) on DeviceName, $left.BrowserProcessId == $right.ParentProcessId
| project Timestamp = SpawnTime, DeviceName, AccountName, InitiatingProcessFileName = ParentProcess, CommandLine, FolderPath = "", DetectionSource = "MotW/SmartScreen Bypass", RiskLevel = "High - Download + script-like child process", RemoteIP = "";
// ============================================================
// Detection 3: Network-based Exploitation
// ============================================================
let NetworkExploitation = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (VulnerableDevices)
| where InitiatingProcessFileName in~ ("wscript.exe","mshta.exe","cscript.exe")
| where RemotePort in (80, 443)
| where not(ipv4_is_in_range(RemoteIP, InternalIPRange))
| project DeviceName, NetTime = Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName, ScriptHostProcessId = InitiatingProcessId
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(LookbackPeriod)
    | where DeviceName in (VulnerableDevices)
    | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe", "msiexec.exe","wmic.exe","certutil.exe")
    | project DeviceName, AccountName, SpawnTime = Timestamp, CommandLine = ProcessCommandLine, FolderPath, ParentProcessId = InitiatingProcessId
) on DeviceName, $left.ScriptHostProcessId == $right.ParentProcessId
| where SpawnTime between (NetTime .. NetTime + NetworkSpawnWindow)
| project Timestamp = SpawnTime, DeviceName, AccountName, InitiatingProcessFileName, CommandLine, FolderPath, DetectionSource = "Network Exploitation", RiskLevel = "High - Shell spawned child after external network activity", RemoteIP;
// --- Final Union and Enrichment ---
LnkExecution
| union MotWBypass
| union NetworkExploitation
| where not(CommandLine has_any (ExcludedCLIPatterns))
| join kind=leftouter TvmContext on DeviceName
| join kind=leftouter (
    DeviceInfo
    | summarize DeviceLastSeen = max(Timestamp) by DeviceName
) on DeviceName
| summarize 
    FirstSeen = min(Timestamp),
    LastSeen_Event = max(Timestamp),
    HitCount = count(),
    AffectedAccounts = make_set(AccountName, 10),
    DetectionSources = make_set(DetectionSource, 5),
    RemoteNetworkAddresses = make_set(RemoteIP, 10)
    by DeviceName, CommandLine, RiskLevel, InitiatingProcessFileName, FolderPath, OSPlatform, OSVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, DeviceLastSeen
| sort by VulnerabilitySeverityLevel asc, HitCount desc, FirstSeen desc

```

Explanation

This KQL query is designed to detect potential security threats related to the CVE-2026-21510 vulnerability, which involves a Windows Shell Security Feature Bypass. Here's a simplified breakdown of what the query does:

  1. Configuration Setup:

    • Defines a lookback period of 7 days to analyze past events.
    • Sets a 2-minute window for network spawn activities.
    • Specifies an internal IP range and patterns to exclude certain command lines and folder paths from detection.

  2. Identify Vulnerable Devices:

    • Retrieves a list of devices that are vulnerable to CVE-2026-21510 from the Threat and Vulnerability Management (TVM) data.

  3. Detection Mechanisms:

    • Detection 1: Suspicious Shell Execution:

      • Looks for suspicious execution of .lnk, .url, or .scf files by processes like explorer.exe, cmd.exe, powershell.exe, etc., on vulnerable devices.
      • Assigns a risk level based on the context of the execution (e.g., scripts from user directories are considered high risk).

    • Detection 2: Mark of the Web (MotW) / SmartScreen Bypass:

      • Detects files with .lnk or .url extensions downloaded from the internet that bypass security features.
      • Correlates these downloads with subsequent suspicious script executions.

    • Detection 3: Network-based Exploitation:

      • Monitors network events for suspicious activities involving script hosts like wscript.exe or mshta.exe connecting to external IPs on ports 80 or 443. - Correlates these network activities with subsequent suspicious process executions.

  4. Data Aggregation and Enrichment:

    • Combines results from all detection mechanisms.
    • Excludes certain command lines based on predefined patterns.
    • Enriches the data with additional context from TVM and device information.
    • Summarizes the findings by device, showing the first and last seen timestamps, number of hits, affected accounts, detection sources, and remote network addresses.

  5. Sorting and Presentation:

    • Sorts the results by vulnerability severity, number of hits, and the first seen timestamp to prioritize the most critical findings.

Overall, this query is designed to help security analysts identify and prioritize potential security incidents related to the CVE-2026-21510 vulnerability by analyzing various types of suspicious activities on vulnerable devices.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 11, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceFileEventsDeviceNetworkEventsDeviceInfo

Keywords

Devices

Operators

letdynamicagoinin~has_anynotcaseprojectendswithisnotemptystartswithjoinonbetweenunionsummarizemake_setsort bydistinctextend

Actions