EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

CVE-2026-32202 - Windows Shell

Exploitation of Windows Shell CVE-2026-32202 ref: https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

Detection Query

setTimeInterval(start=1h, end=0h)
| in(field=#event_simpleName, values=[SmbClientShareClosedEtw, SmbClientShareLogonBruteForceLowThreshold, SmbClientShareLogonBruteForceSuspected, SmbClientShareOpenedEtw, SmbServerShareOpenedEtw, SmbServerV1AuditEtw,ProcessRollup2])
| !cidr(RemoteAddressIP4,subnet=["<<internal ip subnets>>"])
| default(field=[RemoteAddressIP4,LinkName], value="N/A", replaceEmpty=true)
| groupBy([ComputerName], function=([collect([#event_simpleName, SmbShareName, SmbClientName, ClientComputerName, DomainName, destination.ip, RemoteAddressIP4,LinkName])]), limit=20000)
|sort(RemoteAddressIP4)

Author

ML

Data Sources

EndpointNetwork

Platforms

windowslinuxnetwork

Tags

HuntingMonitoringDetection
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: CVE-2026-32202 - Windows Shell

# Description of what the query does and its purpose.
description: |
  Exploitation of Windows Shell CVE-2026-32202

# The author or team that created the query.
author: ML

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Endpoint
  - Network

# Tags for filtering and categorization.
tags:
  - Hunting
  - Monitoring
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  setTimeInterval(start=1h, end=0h)
  | in(field=#event_simpleName, values=[SmbClientShareClosedEtw, SmbClientShareLogonBruteForceLowThreshold, SmbClientShareLogonBruteForceSuspected, SmbClientShareOpenedEtw, SmbServerShareOpenedEtw, SmbServerV1AuditEtw,ProcessRollup2])
  | !cidr(RemoteAddressIP4,subnet=["<<internal ip subnets>>"])
  | default(field=[RemoteAddressIP4,LinkName], value="N/A", replaceEmpty=true)
  | groupBy([ComputerName], function=([collect([#event_simpleName, SmbShareName, SmbClientName, ClientComputerName, DomainName, destination.ip, RemoteAddressIP4,LinkName])]), limit=20000)
  |sort(RemoteAddressIP4)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  ref: https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html