Query Details

CVE 2026 21510 Windows Shell Security Feature Bypass

Query

// ============================================================
// CVE-2026-21510 - Windows Shell Security Feature Bypass
// ============================================================
// --- Configuration ---
let LookbackPeriod      = 7d;
let NetworkSpawnWindow    = 2m;
let InternalIPRange       = "147.86.0.0/16";
let ExcludedCLIPatterns = dynamic([
    @"C:\Program Files (x86)\Microsoft Intune Management Extension\Content\DetectionScripts\",
    @"C:\Program Files (x86)\Citavi 6\Pickers\Chrome\ChromePickerBroker.exe",
    @"C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection"
]);
let ExcludedFolderPaths = dynamic([
    @"C:\Users\Public\Desktop",
    @"C:\ProgramData\Microsoft\Windows\Start Menu",
    @"C:\Windows\System32",
    @"C:\Program Files",
    @"C:\Program Files (x86)",
    @"C:\Windows\WinSxS"
]);
// --- Vulnerable Devices from TVM ---
let VulnerableDevices = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-21510"
| distinct DeviceName;
let TvmContext = DeviceTvmSoftwareVulnerabilities
| where CveId == "CVE-2026-21510"
| project DeviceName, OSPlatform, OSVersion, SoftwareName, SoftwareVersion, 
          VulnerabilitySeverityLevel, RecommendedSecurityUpdate;
// Detection 1: Suspicious LNK/URL/SCF Shell Execution
let LnkExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (VulnerableDevices)
| where InitiatingProcessFileName in~ ("explorer.exe","cmd.exe","powershell.exe","wscript.exe","mshta.exe")
| where ProcessCommandLine has_any (".lnk",".url",".scf") or InitiatingProcessCommandLine has_any (".lnk",".url",".scf")
| where not(FolderPath has_any (ExcludedFolderPaths))
| extend RiskLevel = case(
    ProcessCommandLine has_any ("powershell","cmd","wscript","cscript") and FolderPath has_any ("Temp","Downloads"), "High - Script from user directory",
    ProcessCommandLine has_any ("powershell","cmd","wscript","cscript"), "Medium - Shell script via link",
    FolderPath has_any ("Temp","Downloads"), "Medium - Link from user directory",
    "Low"
  )
| where RiskLevel != "Low"
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, CommandLine = ProcessCommandLine, FolderPath, DetectionSource = "LNK/Shell Execution", RiskLevel, RemoteIP = "";
// Detection 2: MotW / SmartScreen Bypass
let MotWBypass = DeviceFileEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (VulnerableDevices)
| where FileName endswith ".lnk" or FileName endswith ".url"
| where (isnotempty(FileOriginUrl) and FileOriginUrl startswith "http") or AdditionalFields has "ZoneId=3"
| where InitiatingProcessFileName in~ ("msedge.exe","chrome.exe","firefox.exe","outlook.exe","winmail.exe")
| project DeviceName, DownloadTime = Timestamp, FileName, FileOriginUrl, BrowserProcessId = InitiatingProcessId
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(LookbackPeriod)
    | where DeviceName in (VulnerableDevices)
    | where FileName in~ ("wscript.exe","cscript.exe","powershell.exe","mshta.exe","rundll32.exe")
    | project DeviceName, AccountName, SpawnTime = Timestamp, CommandLine = ProcessCommandLine, ParentProcess = InitiatingProcessFileName, ParentProcessId = InitiatingProcessId
) on DeviceName, $left.BrowserProcessId == $right.ParentProcessId
| project Timestamp = SpawnTime, DeviceName, AccountName, InitiatingProcessFileName = ParentProcess, CommandLine, FolderPath = "", DetectionSource = "MotW/SmartScreen Bypass", RiskLevel = "High - Download + script-like child process", RemoteIP = "";
// Detection 3: Network-based Exploitation
let NetworkExploitation = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where DeviceName in (VulnerableDevices)
| where InitiatingProcessFileName in~ ("wscript.exe","mshta.exe","cscript.exe")
| where RemotePort in (80, 443)
| where not(ipv4_is_in_range(RemoteIP, InternalIPRange))
| project DeviceName, NetTime = Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName, ScriptHostProcessId = InitiatingProcessId
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(LookbackPeriod)
    | where DeviceName in (VulnerableDevices)
    | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe", "msiexec.exe","wmic.exe","certutil.exe")
    | project DeviceName, AccountName, SpawnTime = Timestamp, CommandLine = ProcessCommandLine, FolderPath, ParentProcessId = InitiatingProcessId
) on DeviceName, $left.ScriptHostProcessId == $right.ParentProcessId
| where SpawnTime between (NetTime .. NetTime + NetworkSpawnWindow)
| project Timestamp = SpawnTime, DeviceName, AccountName, InitiatingProcessFileName, CommandLine, FolderPath, DetectionSource = "Network Exploitation", RiskLevel = "High - Shell spawned child after external network activity", RemoteIP;
// --- Final Union and Enrichment ---
LnkExecution
| union MotWBypass
| union NetworkExploitation
| where not(CommandLine has_any (ExcludedCLIPatterns))
| join kind=leftouter TvmContext on DeviceName
| join kind=leftouter (
    DeviceInfo
    | summarize DeviceLastSeen = max(Timestamp) by DeviceName
) on DeviceName
| summarize 
    FirstSeen = min(Timestamp),
    LastSeen_Event = max(Timestamp),
    HitCount = count(),
    AffectedAccounts = make_set(AccountName, 10),
    DetectionSources = make_set(DetectionSource, 5),
    RemoteNetworkAddresses = make_set(RemoteIP, 10)
    by DeviceName, CommandLine, RiskLevel, InitiatingProcessFileName, FolderPath, OSPlatform, OSVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate, DeviceLastSeen
| sort by VulnerabilitySeverityLevel asc, HitCount desc, FirstSeen desc

About this query

CVE-2026-21510 - Windows Shell Security Feature Bypass

EXPERIMENTAL

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1204.001User Execution: Malicious Linkhttps://attack.mitre.org/techniques/T1204/001/

Description

This query is designed to detect exploitation attempts of CVE-2026-21510, a vulnerability involving a bypass of Windows Shell security features (such as Mark-of-the-Web (MotW) and SmartScreen). The query identifies suspicious executions of shortcut files (.lnk, .url, .scf) that trigger script interpreters or system binaries, especially when these files originate from external sources or lead to unauthorized network activity.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect attempts to exploit a specific security vulnerability in Windows Shell, identified as CVE-2026-21510. The vulnerability allows attackers to bypass security features like Mark-of-the-Web (MotW) and SmartScreen. Here's a simplified breakdown of what the query does:

  1. Configuration:

    • Sets a lookback period of 7 days to analyze data.
    • Defines a network spawn window of 2 minutes to correlate network and process events.
    • Specifies internal IP ranges and paths to exclude from analysis.
  2. Vulnerable Devices Identification:

    • Identifies devices that are vulnerable to CVE-2026-21510 using data from Threat and Vulnerability Management (TVM).
  3. Detection Mechanisms:

    • Suspicious Shortcut Execution: Detects suspicious executions of shortcut files (.lnk, .url, .scf) that may trigger scripts or system binaries, especially from user directories like Temp or Downloads.
    • MotW/SmartScreen Bypass: Identifies files downloaded from the internet that bypass security features and lead to script-like processes.
    • Network-based Exploitation: Detects network activity involving script hosts (like wscript.exe) connecting to external IPs, followed by suspicious process executions.
  4. Data Aggregation and Enrichment:

    • Combines results from the above detections.
    • Filters out known safe command lines.
    • Enriches data with additional context from TVM and device information.
    • Summarizes findings by device, highlighting the first and last seen events, affected accounts, detection sources, and remote network addresses.
  5. Output:

    • The query outputs a summary of potentially compromised devices, sorted by vulnerability severity and the number of detection hits, providing a clear view of the risk level and recommended security updates.

In essence, this query helps security teams identify and respond to potential exploitation attempts of a known Windows vulnerability by analyzing device events, network activity, and file executions.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 11, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceFileEventsDeviceNetworkEventsDeviceInfo

Keywords

CVEDevicesWindowsShellSecurityUserNetworkIntuneFilesProcessEventsExecutionBypassVulnerabilityRiskAccountCommandLineFolderPathRemoteIPTimestampDetectionSource

Operators

letagoinin~has_anynotextendcaseendswithisnotemptystartswithjoinonbetweenprojectunionwheresummarizemake_setsort bydistinct

MITRE Techniques

Actions

GitHub