Inferlume

How it Works

Reports

Pricing

About

Get Free Access →

Get Free Access

Last Updated On

Wednesday, April 15, 2026

DDAAIILLYY--22002266--00441155

CCrriittiiccaall

AAccttiivvee EExxppllooiittaattiioonn CCoonnffiirrmmeedd

Microsoft Patch Tuesday Chrome WebGPU Sandbox Escape and SharePoint Spoofing

Microsoft's April 2026 Patch Tuesday fixes 167 vulnerabilities including two actively exploited zero-days — Chrome's WebGPU sandbox escape (CVE-2026-5281, CISA KEV deadline today) and SharePoint spoofing (CVE-2026-32201) — plus a Defender elevation-of-privilege (CVE-2026-33825) and Active Directory RCE (CVE-2026-33826) demanding same-day enterprise patching across browsers, collaboration platforms, endpoint protection, and directory services.

8.8

CVSS Score

IOC Count

Source Count

Confidence Score

CVEs

Actors

Sectors

Regions

Chapter 01 - Executive Overview

Today's headline: critical Microsoft and Chrome patches converge, with one actively exploited SharePoint zero-day and a live browser flaw both under CISA-enforced timelines. Together they raise the baseline risk for any environment running unpatched Windows infrastructure and Chromium-based browsers, even in the absence of a named campaign or public breach.

Microsoft's April 2026 Patch Tuesday fixes 167 vulnerabilities across Windows, Office, SQL Server, and related components — including two zero-days: CVE-2026-32201 in SharePoint Server (actively exploited before the patch shipped) and CVE-2026-33825 in Microsoft Defender (publicly disclosed, rated "Exploitation More Likely"). In parallel, Google's Chrome zero-day CVE-2026-5281 in the Dawn WebGPU layer was already being exploited in the wild from March 31, with CISA's KEV catalog mandating federal remediation by today, April 15.

At executive level, the key point is that these are not niche bugs. They touch the dominant web browser engine, core collaboration infrastructure, endpoint protection software, and directory services — making them highly relevant to most medium and large organizations. The absence of public IOCs or named actor attribution does not reduce urgency. Four patches, four high-stakes assets, one patch cycle.

Chapter 02 - Threat & Exposure Analysis

CVE-2026-5281 — Chrome Dawn WebGPU zero-day: sandbox escape primitive in exploit chains

CVE-2026-5281 is a use-after-free vulnerability in Chrome's Dawn WebGPU implementation. Exploitation requires an attacker to first compromise the renderer process, then use a crafted web page to corrupt freed memory — effectively making this a second-stage escape primitive in multi-stage browser exploit chains. CISA's KEV record mandates federal remediation by April 15, 2026, confirming both active exploitation and policy-level urgency. CVSS v3.1 base score 8.8, network attack vector, no privileges required, low user interaction.

For defenders, the exposure is systemic: any unpatched Chromium-based browser across Windows, macOS, or Linux — enterprise or consumer — represents a latent foothold. The two-stage nature of the exploit (renderer compromise first, then Dawn UAF) suggests sophisticated actors rather than opportunistic mass exploitation, but the absence of public PoC code does not reduce risk — CISA's KEV listing confirms real-world exploitation regardless.

Risk decision: treat CVE-2026-5281 as a mandatory same-day patch. Verify Chrome/Chromium version floors across all managed endpoints and enforce browser restart policies to ensure patched binaries are actually running.

CVE-2026-32201 — SharePoint Server spoofing zero-day: trust surface compromise in collaboration platforms

Microsoft's April Patch Tuesday confirms active exploitation of CVE-2026-32201, a SharePoint Server spoofing vulnerability that allows attackers to present falsified content and interfaces over the network. The flaw enables viewing and tampering with sensitive information in SharePoint environments, potentially enabling credential harvesting, misdirected document approvals, or staged content manipulation inside collaboration sites.

Because SharePoint often underpins intranet portals, document libraries, and workflow tools, exploitation undermines trust in internal content and creates second-order risks: phishing from spoofed interfaces, BEC precursors via manipulated approval workflows, or malicious document delivery through trusted channels. Zero-day classification confirms attackers understood and operationalized this bug before Microsoft shipped the patch.

Risk decision: prioritize SharePoint patching for any internet-exposed or partner-facing deployment. Enable anomaly detection on SharePoint web front ends and review access logs for the 14–30 days prior to patch application.

CVE-2026-33825 & CVE-2026-33826 — Defender EoP and AD RCE: hardening the Windows core

CVE-2026-33825 affects the Microsoft Defender Antimalware Platform, where insufficient access-control granularity allows a low-privileged authenticated attacker to elevate to SYSTEM-level privileges locally. Microsoft rates this "Exploitation More Likely" — meaning public exploitation is plausible in the near term. The bug affects Defender in active use; systems where Defender has been disabled or replaced by a third-party AV are not in an exploitable state, but this does not reduce the urgency for the majority of enterprise endpoints that use Defender in some capacity.

CVE-2026-33826 is a Windows Active Directory RCE caused by improper input validation. An authenticated attacker on an adjacent network can execute arbitrary code against AD services without any user interaction. The adjacent-network attack vector limits internet-scale exploitation but is highly relevant inside compromised environments where an attacker has already established a foothold and can reach domain controllers or AD-exposed segments. Combined with CVE-2026-33825, these two vulnerabilities provide a plausible path from low-privilege initial access to domain-level impact if patching lags.

Risk decision: both CVEs belong in the current patch sprint for Windows servers and critical endpoints. Verify Defender platform build levels explicitly — vulnerability scanners may flag vulnerable binaries even when Defender is disabled. Domain controller patching for CVE-2026-33826 should begin with externally reachable or high-risk segments first.

Chapter 03 - Operational Response

Defender priority order today

CVE-2026-5281 — Chrome Dawn WebGPU zero-day — Actively exploited, CISA KEV same-day deadline, affects the primary browser stack across all platforms. Highest priority.
CVE-2026-32201 — SharePoint Server spoofing zero-day — Actively exploited against collaboration infrastructure; data integrity and user trust impact is direct and broad.
CVE-2026-33825 — Microsoft Defender elevation-of-privilege — Publicly disclosed, "Exploitation More Likely," affects core endpoint protection. Attractive for post-compromise privilege escalation.
CVE-2026-33826 — Active Directory RCE — Critical to patch but requires authenticated adjacent-network access, making it slightly less acute than the exploited browser and SharePoint flaws in the next 24 hours.

Immediate response (0–24 hours)

Chrome / Chromium (CVE-2026-5281)

Force-update Chrome and all Chromium-based browsers to at least version 146.0.7680.177/178 via endpoint management or MDM, and verify version floors per platform.
Enforce browser restart policies to ensure patched binaries are running, not merely installed.

SharePoint (CVE-2026-32201)

Inventory all SharePoint Server instances and apply April 2026 security updates immediately, beginning with internet-exposed and partner-facing deployments.
Enable heightened logging on SharePoint web front ends and review for anomalous access patterns, spoofed interfaces, or unexpected content modifications over the prior 14–30 days.

Defender Platform (CVE-2026-33825)

Confirm the Defender Antimalware Platform has been updated beyond the vulnerable build on all servers and critical endpoints, per Microsoft's Security Update Guide.
Validate Defender is not inadvertently disabled on high-risk endpoints; document exceptions where a third-party AV replaces it as the primary protection layer.

Active Directory (CVE-2026-33826)

Apply the Windows AD security update to domain controllers, beginning with those exposed to high-risk segments, partner networks, or external-facing services.

Within 24–72 hours

Hunt for browser exploit chain indicators: unusual Chrome/Chromium crashes, unexpected child processes spawned from browser binaries, suspicious outbound connections initiated immediately after browser process restarts.
Review SharePoint content approval workflows, master page repositories, and recent site template changes for modifications inconsistent with authorized deployments.
Verify that endpoint vulnerability scanners and EDR tools correctly identify post-patch Defender platform builds, distinguishing between on-disk binary state and actual runtime exploitability for CVE-2026-33825.
Update KEV runbooks to reflect date-driven remediation urgency as a distinct escalation pathway from standard patch cadence.

If vendor guidance is insufficient to support specific response steps in a given environment, document "RESPONSE STEPS REQUIRE VENDOR ADVISORY CONFIRMATION BEFORE EXECUTION" before performing any high-impact mitigations.

CVE-2026-5281 — Chrome Dawn WebGPU zero-day

2026-03-31 — Google releases Chrome stable updates fixing CVE-2026-5281, disclosing active exploitation in the wild; flaw attributed to Dawn WebGPU use-after-free CWE-416.
2026-04-01 — NVD publishes the CVE-2026-5281 record; CISA adds the entry to the KEV catalog with an April 15, 2026 remediation due date for federal agencies.
2026-04-01 to 2026-04-02 — Krebs on Security, BleepingComputer, and The Hacker News publish analyses characterizing the bug as a high-severity sandbox escape primitive in browser exploit chains, CVSS 8.8.

CVE-2026-32201 — SharePoint Server spoofing zero-day

2026-04-13/14 — Microsoft releases April 2026 Patch Tuesday, fixing 167 vulnerabilities; CVE-2026-32201 flagged as an actively exploited SharePoint Server spoofing zero-day exploited prior to patch availability.
2026-04-14 — Krebs on Security and BleepingComputer highlight CVE-2026-32201 as one of two critical zero-days in the Patch Tuesday release.

CVE-2026-33825 & CVE-2026-33826 — Defender EoP and AD RCE

2026-04-13/14 — Microsoft assigns CVE-2026-33825 to a Defender Antimalware Platform EoP flaw and CVE-2026-33826 to a Windows Active Directory RCE; both disclosed and patched in the April 2026 Patch Tuesday release.
2026-04-13 to 2026-04-15 — BleepingComputer and Krebs characterize CVE-2026-33825 as "Exploitation More Likely" and detail affected Defender platform versions.

Chapter 04 - Detection Intelligence

CVE-2026-5281 — Chrome Dawn WebGPU use-after-free

CVE-2026-5281 is a use-after-free (CWE-416) in Dawn, Chrome's WebGPU graphics API implementation. The attack chain is two-stage: an attacker first compromises the Chrome renderer process via a separate vulnerability, then exploits the Dawn memory corruption flaw to escape the sandbox and execute arbitrary code with browser-process privileges. A crafted HTML page triggers the freed-memory access; no additional privileges beyond the initial renderer compromise are required.

The vulnerability affects Chrome versions prior to 146.0.7680.177/178 across Windows, macOS, and Linux, as well as downstream Chromium-based browsers shipping the same Dawn implementation. The two-stage requirement suggests this is used by actors capable of chaining multiple bugs rather than opportunistic mass exploitation. The absence of public PoC is consistent with Google's standard disclosure pattern for serious zero-days — exploitation is real, PoC details are withheld.

CVE-2026-32201 — SharePoint Server spoofing vulnerability

Microsoft describes CVE-2026-32201 as a spoofing flaw in SharePoint Server's input handling, allowing attackers to present falsified content or interfaces to network users. Successful exploitation enables viewing and modifying sensitive information within SharePoint workloads, compromising both integrity and confidentiality without necessarily affecting availability. Exploitation is likely to involve crafted HTTP requests against SharePoint endpoints that misuse or bypass trust boundaries in how content is rendered or validated at the application layer.

Registered sources do not provide detailed request patterns or PoC code, limiting defenders to version verification, anomaly-based detection, and content integrity monitoring as primary controls. The zero-day classification — exploited before patch availability — indicates real-world attacker familiarity with the vulnerability's operational utility in collaboration-platform targeting.

CVE-2026-33825 — Microsoft Defender Antimalware Platform elevation-of-privilege

CVE-2026-33825 arises from insufficient access-control granularity in the Defender Antimalware Platform, enabling a low-privileged authenticated attacker to elevate to high (SYSTEM-level) privileges locally. High impact on confidentiality, integrity, and availability is consistent with full SYSTEM-level control when chained with any initial access vector. Microsoft's guidance notes that exploitability depends on Defender being actively running on the endpoint — systems with Defender disabled or replaced by a third-party solution are not exposed, but this covers a small fraction of enterprise endpoints.

Vulnerability scanners may incorrectly flag the vulnerability as present even when Defender is disabled based on binary version detection alone; defenders must validate both platform build level and runtime active state to accurately assess exposure.

CVE-2026-33826 — Windows Active Directory RCE

CVE-2026-33826 is caused by improper input validation in Windows Active Directory components; an authenticated attacker on an adjacent network can execute arbitrary code without user interaction. The adjacent-network constraint limits internet-scale exploitation risk but is highly relevant inside compromised environments where an attacker has a foothold and can reach internal network segments hosting domain controllers or AD-accessible services.

Because Active Directory is the backbone of identity and access management across most enterprise environments, code execution in this context could enable lateral movement to domain controllers, privilege escalation to domain admin, or deployment of persistent access mechanisms. Registered sources do not detail exploit payloads; defenders are focused on patch validation and behavioral monitoring of AD service processes.

Vulnerability Identifiers — CVE-based indicators

The following four CVE IDs are the only indicators extractable from registered sources for today's reporting window. No network infrastructure artifacts (IPs, domains, hashes, C2 servers) have been published by any registered source in association with exploitation of these vulnerabilities.

CVE-2026-5281 — Chrome Dawn WebGPU use-after-free zero-day; active exploitation confirmed; CISA KEV listed. Verdict: Pending enrichment.
CVE-2026-32201 — Microsoft SharePoint Server spoofing zero-day; active exploitation confirmed prior to patch availability. Verdict: Pending enrichment.
CVE-2026-33825 — Microsoft Defender Antimalware Platform elevation-of-privilege; publicly disclosed, "Exploitation More Likely." Verdict: Pending enrichment.
CVE-2026-33826 — Windows Active Directory RCE via adjacent-network improper input validation; patched, exploitation not yet confirmed in wild. Verdict: Pending enrichment.

Infrastructure patterns

None of the registered sources reviewed for this window describe reusable attacker infrastructure — no C2 domains, IP ranges, hosting providers, or TLS certificate patterns — associated with exploitation campaigns for any of these CVEs. Infrastructure fingerprinting evidence is intentionally absent pending future registered-source reporting.

CVE-2026-5281 — Chrome WebGPU Sandbox Escape

Detection focus: browser processes spawning unexpected children (post-escape indicator), vulnerable version presence (pre-exploitation surface), and suspicious outbound traffic from browser processes after crashes.

SIGMA Rule — Chrome Suspicious Child Process Spawn (CVE-2026-5281)

title: Chrome WebGPU Exploit — Suspicious Child Process (CVE-2026-5281)
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: >
  Detects Chromium-based browser processes spawning shell or scripting
  interpreters. Consistent with post-sandbox-escape behavior following
  exploitation of CVE-2026-5281 (Dawn WebGPU UAF).
  Apply on Windows endpoint process-creation telemetry.
references:
  - CVE-2026-5281
author: CTI Daily v2.0
date: 2026/04/15
tags:
  - attack.execution
  - attack.t1203
  - attack.defense_evasion
  - attack.t1055
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
      - '\opera.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
  filter_legitimate:
    # Chrome legitimately spawns crash handlers and updaters — exclude known-good
    Image|endswith:
      - '\chrome_crashpad_handler.exe'
      - '\GoogleUpdate.exe'
  condition: selection and not filter_legitimate
falsepositives:
  - Enterprise browser extensions spawning helper scripts — review per environment
  - Automated testing frameworks using Chromium
level: high

YARA Rule — Chrome WebGPU Post-Exploitation Memory Artifact (CVE-2026-5281)

rule Chrome_Dawn_WebGPU_UAF_Artifact {
    /*
     * Detects memory artifacts consistent with Chrome Dawn WebGPU UAF
     * exploitation (CVE-2026-5281). Apply against Chrome crash dumps,
     * suspicious files dropped by browser processes, or memory captures
     * from high-risk endpoints. Pattern is indicative, not definitive —
     * corroborate with process behaviour alerts.
     */
    meta:
        description = "Chrome Dawn WebGPU UAF exploit artifact (CVE-2026-5281)"
        author      = "CTI Daily v2.0"
        date        = "2026-04-15"
        reference   = "CVE-2026-5281"
        severity    = "high"

    strings:
        // Dawn WebGPU API strings present in renderer exploitation context
        $dawn_device  = "dawn::native::Device" ascii
        $gpu_buffer   = "GPUBuffer" wide ascii
        $wgpu_create  = "wgpuDeviceCreateBuffer" ascii

        // Generic heap spray / UAF exploitation markers
        // High FP rate in isolation — require corroboration with Dawn strings
        $heap_a  = { 41 41 41 41 41 41 41 41 }   // 'AAAAAAAA' heap spray
        $heap_b  = { 0D 0D 0D 0D 0D 0D 0D 0D }   // 0x0D sled pattern
        $nop_sled = { 90 90 90 90 90 90 90 90 90 90 }  // NOP sled

    condition:
        // Dawn API strings present + at least one exploit-pattern marker
        2 of ($dawn_device, $gpu_buffer, $wgpu_create)
        and 1 of ($heap_a, $heap_b, $nop_sled)
}

SIEM Pseudocode — Vulnerable Browser Version Floor Alert (CVE-2026-5281)

// SIEM Pseudocode — Chrome Version Floor Enforcement (CVE-2026-5281)
// Source:  Endpoint software inventory telemetry
// Safe floor: Chrome >= 146.0.7680.177 / 146.0.7680.178

FROM endpoint_software_inventory
WHERE
    software_name IN (
        'Google Chrome',
        'Microsoft Edge',
        'Brave Browser',
        'Opera'
    )
    AND software_version < '146.0.7680.177'    -- Vulnerable version floor
    AND last_seen >= NOW() - 24h               -- Active assets only
GROUP BY
    host_name,
    software_name,
    software_version,
    user_name,
    last_seen
ORDER BY last_seen DESC

-- Alert on ANY result = unpatched browser still present
-- Priority: CRITICAL — CISA KEV deadline was 2026-04-15
-- Action: Trigger automated patch push OR create analyst remediation case

CVE-2026-32201 — SharePoint Server Spoofing

Detection focus: non-admin modification of master pages and site assets, HTTP error-then-success patterns against SharePoint endpoints indicating reconnaissance or exploitation attempts.

SIGMA Rule — SharePoint Content Modification by Non-Admin (CVE-2026-32201)

title: SharePoint Master Page / Site Asset Modification by Non-Admin (CVE-2026-32201)
id: b2c3d4e5-f6a7-8901-bcde-f01234567891
status: experimental
description: >
  Detects non-privileged accounts modifying SharePoint master pages, layouts,
  or SiteAssets. Consistent with content spoofing exploitation of CVE-2026-32201
  (SharePoint Server spoofing zero-day).
author: CTI Daily v2.0
date: 2026/04/15
tags:
  - attack.initial_access
  - attack.t1190
  - attack.impact
  - attack.t1565.002
logsource:
  product: windows
  service: sharepoint_uls    # SharePoint ULS audit log / Unified Logging Service
detection:
  selection:
    EventType:
      - 'ContentModified'
      - 'FileUploaded'
      - 'ScriptInjected'
    TargetPath|contains:
      - '/_catalogs/masterpage'
      - '/_layouts'
      - '/SiteAssets/'
  filter_admins:
    # Exclude farm and site admins performing authorised deployments
    UserRole:
      - 'FarmAdmin'
      - 'SiteAdmin'
  condition: selection and not filter_admins
falsepositives:
  - Developers deploying approved design changes in dev/staging environments
  - SharePoint migration or publishing workflows with non-admin service accounts
level: high

SIEM Pseudocode — SharePoint Anomalous HTTP Error + Success Sequence (CVE-2026-32201)

// SIEM Pseudocode — SharePoint Exploit Reconnaissance Pattern (CVE-2026-32201)
// Source:  SharePoint web front-end IIS access logs
// Logic:   Spike in 4xx errors from a single IP followed by 200-series
//          successes on sensitive paths — consistent with exploitation probing

FROM sharepoint_web_access_logs
WHERE
    timestamp BETWEEN '2026-04-01' AND NOW()   -- Review window post first-observed date
GROUP BY
    client_ip,
    target_path
HAVING
    COUNT(CASE WHEN http_status BETWEEN 400 AND 499 THEN 1 END) > 5
    AND COUNT(CASE WHEN http_status BETWEEN 200 AND 299 THEN 1 END) > 1
    AND (
        target_path LIKE '%/_catalogs/%'
        OR target_path LIKE '%/_layouts/%'
        OR target_path LIKE '%/SiteAssets/%'
    )
ORDER BY COUNT(*) DESC

-- Alert: Any client_ip matching this pattern against sensitive paths
-- Priority: HIGH
-- Tag: T1190 / CVE-2026-32201

CVE-2026-33825 — Defender Platform Elevation-of-Privilege

Detection focus: medium-integrity processes accessing WinDefend service objects in abnormal ways, unexpected service modifications from non-Defender processes.

SIGMA Rule — Defender Service Object Access by Non-Defender Process (CVE-2026-33825)

title: Defender Platform EoP — WinDefend Service Privileged Object Access (CVE-2026-33825)
id: c3d4e5f6-a7b8-9012-cdef-012345678912
status: experimental
description: >
  Detects medium-integrity (standard-user) processes accessing or manipulating
  WinDefend service objects in ways inconsistent with normal Defender operation.
  Consistent with privilege escalation via CVE-2026-33825.
author: CTI Daily v2.0
date: 2026/04/15
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: windows
  service: security
detection:
  selection_svc_access:
    EventID:
      - 4673    # Sensitive privilege used
      - 4674    # Operation attempted on privileged object
    ObjectName|contains: 'WinDefend'
  filter_legit_processes:
    # Exclude Defender's own service processes
    ProcessName|endswith:
      - '\MsMpEng.exe'
      - '\MpCmdRun.exe'
      - '\SecurityHealthService.exe'
      - '\MsSense.exe'
  selection_svc_install:
    EventID:
      - 4697    # Service installed in system
      - 7045    # New service installed (System log)
    ServiceName|contains: 'WinDefend'
    SubjectIntegrityLevel: 'Medium'    # Unexpected: standard user installing service
  condition: >
    (selection_svc_access and not filter_legit_processes)
    or selection_svc_install
falsepositives:
  - Third-party AV management tools interacting with Defender service
  - Legitimate administrative scripts performing Defender policy configuration
level: high

CVE-2026-33826 — Active Directory RCE

Detection focus: unusual process creation on domain controllers from non-standard parent processes or non-admin accounts, new services installed on DCs from unexpected initiating hosts.

SIGMA Rule — Anomalous Process Creation on Domain Controller (CVE-2026-33826)

title: Domain Controller Anomalous Process Creation (CVE-2026-33826)
id: d4e5f6a7-b8c9-0123-def0-123456789013
status: experimental
description: >
  Detects unexpected process creation on domain controllers from non-standard
  parent processes or initiated by non-machine accounts. Consistent with
  adjacent-network RCE exploitation of CVE-2026-33826.
author: CTI Daily v2.0
date: 2026/04/15
tags:
  - attack.lateral_movement
  - attack.t1210
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    EventID: 4688
    SubjectUserName|not_endswith: '$'    # Exclude machine accounts
    NewProcessName|contains:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
    ParentProcessName|not_endswith:
      - '\services.exe'
      - '\wininit.exe'
      - '\lsm.exe'
      - '\svchost.exe'
  filter_known_admin_hosts:
    # Scope to domain controllers — set ComputerName to actual DC list
    ComputerName|endswith: '-DC'    # Adjust to environment naming convention
  condition: selection and filter_known_admin_hosts
falsepositives:
  - Legitimate administrative scripts running on DCs via jump host
  - Monitoring agents spawning diagnostic processes
level: critical

SIEM Pseudocode — Suspicious Service Install on Domain Controller (CVE-2026-33826)

// SIEM Pseudocode — New Service on DC from Non-Standard Host (CVE-2026-33826)
// Source:  Windows Security Event Log (Event ID 7045 / 4697), DC-forwarded
// Logic:   Detect new services installed on DCs where initiating host
//          is NOT on the approved admin jump host list

FROM windows_event_logs
WHERE
    event_id IN (7045, 4697)                          -- Service installation events
    AND computer_name IN (domain_controller_list)     -- Scoped to DCs only
    AND initiating_host NOT IN (approved_admin_hosts) -- Not from jump host / mgmt station
    AND subject_user_name NOT LIKE '%$'               -- Not machine account
    AND timestamp >= NOW() - 24h

UNION

FROM windows_security_events
WHERE
    event_id = 4688                                   -- Process creation
    AND computer_name IN (domain_controller_list)
    AND new_process_name LIKE '%\TEMP\%'              -- Process executing from temp
    AND timestamp >= NOW() - 24h

ORDER BY timestamp DESC

-- Alert: CRITICAL on any DC result
-- Tag: T1210 / Lateral Movement
-- Escalation: Immediate analyst review; isolate DC from non-DC segment if confirmed

T1203 — Exploitation for Client Execution (CVE-2026-5281)

Inferred from: CISA KEV description, Krebs, and BleepingComputer coverage all describe exploitation requiring a user to visit a crafted web page with no additional privileges. This is the canonical T1203 scenario — delivery of code execution to a client via web-based exploit. No source maps it to T1203 by name, but the attack vector description is unambiguous.

T1055 — Process Injection (CVE-2026-5281)

Inferred from: Krebs and BleepingComputer describe the exploitation mechanism as a second-stage sandbox escape — the use-after-free in Dawn is used to achieve code execution in a different browser process context after renderer compromise. Cross-process memory corruption enabling code execution in another process context is behaviorally consistent with T1055.

T1190 — Exploit Public-Facing Application (CVE-2026-32201)

Inferred from: Microsoft's advisory describes a network-accessible attack vector with no authentication requirement; SharePoint Server is a canonical public-facing application. Crafted HTTP requests bypassing input validation in a network-accessible application platform is the T1190 definition.

T1565.002 — Stored Data Manipulation (CVE-2026-32201)

Inferred from: Microsoft and registered source coverage explicitly describe the ability to view and tamper with sensitive information in SharePoint document stores and collaboration sites — modification of stored data via exploitation is T1565.002.

T1068 — Exploitation for Privilege Escalation (CVE-2026-33825)

Inferred from: Microsoft advisory explicitly states a low-privileged authenticated attacker achieves local high-privilege (SYSTEM-level) execution via the Defender platform flaw. This is the definitional T1068 scenario and the behavioral inference carries high confidence.

T1210 — Exploitation of Remote Services (CVE-2026-33826)

Inferred from: Microsoft advisory describes adjacent-network exploitation of Active Directory services via improper input validation to achieve arbitrary code execution without user interaction. AD services exposed on the internal network are remote services in the T1210 definition.

MITRE D3FEND Countermeasures:

D3-PAN (Process Ancestry Normalization) — counter to T1203/T1055: enforce expected parent-child browser process chains; alert on deviations. Directly enabled by SIGMA Rule 1 above.

D3-UAP (User Account Permissions) — counter to T1068: enforce least-privilege access controls for Defender service interactions; limit which accounts can interact with security service objects.

D3-NTA (Network Traffic Analysis) — counter to T1210: monitor and baseline AD service traffic from adjacent network segments; alert on unexpected authenticated RCE-pattern flows targeting domain controllers.

Chapter 05 - Governance, Risk & Compliance

Browser and collaboration stack risk posture

Organizations that treat browsers and collaboration platforms as commodity IT rather than critical infrastructure will underestimate today's governance exposure. CVE-2026-5281 and CVE-2026-32201 strike at user-facing trust surfaces — the web browser and the SharePoint portal — where spoofed content or drive-by exploitation enables fraud, data leakage, and regulatory compliance failures. CISA's KEV deadline for CVE-2026-5281 is April 15, 2026 — today. For federal environments, that deadline is a legal obligation. For private sector organizations operating under NIS2, GDPR, or sector-specific frameworks that mandate "state of the art" security controls, failing to meet a published KEV remediation date is a documentable exception that will need formal risk acceptance or a disclosed breach justification.

Endpoint protection and identity infrastructure as a risk layer

CVE-2026-33825 is notable not just as a technical vulnerability but as a governance signal: when the antimalware platform itself becomes the escalation path, it exposes a gap in defense-in-depth assumptions. Risk frameworks that treat EDR and AV as controls without tracking the security of those controls' own platform components are incomplete. Risk registers should explicitly include Defender platform build version as a tracked control attribute, not just "Defender deployed: Yes/No."

CVE-2026-33826 compounds this by targeting Active Directory — the identity authority for most enterprise environments. AD is typically treated as infrastructure rather than an application requiring vulnerability management. Today's advisory is a reminder that AD services have an attack surface and must be subject to the same patch urgency as perimeter systems. Organizations operating under Zero Trust frameworks should treat unpatched AD services as a trust boundary failure, not just a patching backlog item.

Actionable governance decisions:

Ensure patch management and risk registers explicitly track CISA KEV deadlines as timestamped obligations requiring formal exception documentation if missed — treating CVE-2026-5281's April 15 deadline as a recordable event regardless of federal status.

Mandate that Defender platform build version be a tracked attribute in endpoint asset management, distinct from signature and engine version — this closes the CVE-2026-33825 visibility gap before the next similar vulnerability surfaces.

Escalate Active Directory patching cadence to match perimeter systems; the adjacent-network attack vector of CVE-2026-33826 does not make it less urgent inside a post-breach environment, which is precisely when the risk materializes.

Review browser update policy to confirm enforced restart and version floor enforcement — "Chrome installed" and "Chrome patched and running the patched version" are not the same operational state.

Chapter 06 - Adversary Emulation

Scenario 1 — T1203 / T1055: Chrome WebGPU Sandbox Escape Simulation (CVE-2026-5281)

Objective: Validate that endpoint and SOC controls detect post-sandbox-escape browser behavior — the consequence that matters operationally, since the exploit itself is not publicly available.

Setup: On an isolated endpoint running a vulnerable Chrome version (below 146.0.7680.177), use a benign test harness to simulate the post-escape behavior only: spawn cmd.exe or PowerShell from a Chrome renderer process context, and initiate an outbound DNS or HTTP request from the browser process immediately after a simulated crash event. Do not use or reproduce actual exploit code.

Expected detections:

SIGMA Rule 1 (Chrome Suspicious Child Process Spawn) should fire at high severity within the SIEM within seconds of cmd.exe or PowerShell spawning under chrome.exe.

EDR process tree should show the unexpected parent-child relationship and generate an alert.

Outbound connection from a crashed/restarting Chrome process should trigger network anomaly detection if behavioral baselines are configured.

Pass signal: High-severity SIEM and EDR alerts within the detection window; SOC analyst receives and triages the case.

Fail signal: No alert fires. Process tree is logged but not alerted. This indicates the SIGMA rule was not deployed or EDR behavioral rules are not scoped to browser processes — a critical detection gap given the active exploitation of this CVE.

Patch verification step: After patching, confirm via endpoint inventory query that Chrome version ≥ 146.0.7680.177 is present AND that the browser has been restarted. The SIEM version-floor pseudocode from Field 31 should return zero results after a successful patch push and restart enforcement.

Scenario 2 — T1190 / T1565.002: SharePoint Content Integrity Validation (CVE-2026-32201)

Objective: Validate that SharePoint monitoring detects unauthorized content modification — the direct operational impact of CVE-2026-32201 exploitation.

Setup: Using a standard (non-admin) test user account in a non-production SharePoint environment, attempt to upload a benign JavaScript file to the /SiteAssets/ directory and modify a test master page in /_catalogs/masterpage/. Record whether the action succeeds and whether an alert fires. Do not deploy anything that could affect production content.

Expected detections:

SIGMA Rule 2 (SharePoint Content Modification by Non-Admin) should fire on the file upload and master page modification events, filtered to the non-admin account.

SIEM HTTP anomaly pseudocode from Field 31 should capture the access sequence if the test account generates any 400-series errors before successful write access.

Change management tooling should log the modification with the initiating account and timestamp.

Pass signal: Monitoring fires before the analyst reviews the SharePoint environment; the modification is visible in both security and change management logs.

Fail signal: The file upload completes silently with no alert. This indicates SharePoint ULS audit logging is not forwarded to the SIEM, or the detection rule is not deployed — leaving the organization blind to exactly the behavior CVE-2026-32201 enables.

Retrospective hunting step: Run the SIEM HTTP error/success sequence query from Field 31 against SharePoint web front-end IIS logs covering the window from April 1 to April 15, 2026 — look for any client IP generating 400-series errors on _catalogs or _layouts paths followed by successful 200-series responses. Any hits warrant analyst review as potential pre-patch exploitation.

Scenario 3 — T1068: Defender Platform Privilege Escalation Coverage (CVE-2026-33825)

Objective: Validate that low-privilege interaction with Defender service objects generates alerts, and that patched Defender platform builds are correctly confirmed as non-exploitable.

Setup: In an isolated test environment with a known-vulnerable Defender platform build (do not test on production), use a low-privilege test account to attempt service object access against WinDefend using standard Windows API calls — specifically EventID 4673 and 4674 triggers (Sensitive Privilege Used / Operation on Privileged Object). Use a benign test script that calls OpenService(WinDefend) with elevated permissions from a medium-integrity process. Do not attempt actual privilege escalation; the goal is to confirm the detection surface.

Expected detections:

SIGMA Rule 3 (Defender Service Object Access by Non-Defender Process) should fire on the 4673/4674 events when a non-Defender process touches WinDefend at medium integrity.

EDR behavioral rules should flag the service access attempt.

If testing the 4697/7045 service-install path, the SIGMA rule's integrity-level filter should catch any medium-integrity service installation attempt targeting Defender.

Pass signal: SIEM and EDR alerts fire within the detection window; alert correctly identifies the non-Defender initiating process.

Fail signal: The API call completes without alerting. This indicates Windows Security Event forwarding is missing events 4673/4674, or the SIGMA rule is not deployed — leaving the EoP escalation path dark.

Patch verification step: On production endpoints, confirm the Defender Antimalware Platform build is at or above the Microsoft-specified fixed version via endpoint management console or registry query. Build version and engine version are separate — verify both. Document any endpoints where Defender is disabled or replaced and confirm they fall within the explicit exception list.

Scenario 4 — T1210: Active Directory RCE Adjacent-Network Coverage (CVE-2026-33826)

Objective: Validate that domain controllers generate and forward meaningful alerts when targeted by unexpected process creation from non-standard initiating hosts.

Setup: In a lab domain environment with a patched domain controller and a separate workstation on the same subnet, use a low-privilege test account on the workstation to attempt remote process creation on the DC using benign payloads (e.g., PsExec equivalent with no malicious payload, or a scheduled task creation via RPC). Stay within vendor guidance for safe testing. Do not test on production domain controllers.

Expected detections:

SIGMA Rule 4 (Domain Controller Anomalous Process Creation) should fire when cmd.exe or PowerShell appears on the DC with a non-services.exe parent initiated from the non-admin workstation.

SIEM Pseudocode (Suspicious Service Install on DC) should capture any service creation events initiated from the test workstation if it is not on the approved admin host list.

AD security logs (Event 4688) should capture the process creation with the initiating user and source host clearly logged.

Pass signal: Critical-severity alert fires; SOC analyst can trace the process creation back to the originating workstation and user account within the log data.

Fail signal: DC process creation event is logged but not alerted; or no 4688 events are generated on the DC (indicating process creation auditing is disabled on domain controllers — a common blind spot). This is a critical gap given that CVE-2026-33826 specifically targets AD service execution on DC-adjacent segments.

Patch verification step: Confirm the April 2026 Windows AD security update is applied to all domain controllers. Start with DCs in segments reachable from general workstation VLANs — these carry the highest adjacent-network exposure for CVE-2026-33826. Run the SIEM DC service install query from Field 31 against the last 48 hours as a baseline sweep before and after patch application.

Emulation summary — record-keeping requirement

For each scenario, document: whether the alert fired, time-to-alert from test initiation, team that received the alert, and any gaps identified. Convert gaps into specific detection engineering backlog items — not generic "improve monitoring" tasks. Each gap should have an owner, a targeted SIGMA or SIEM rule, and a re-test date within two weeks.

Intelligence Confidence78%

A score above 80 would require: CVSS confirmation for all four CVEs, at least one network IOC from a registered source, and source-confirmed MITRE mappings from a reputed vendor advisory.