Back to Blog
    Patch Tuesday

    July 2026 Patch Tuesday: 570 Patches, and the One That Matters Is Rated Moderate

    James McMurryJuly 14, 20268 min read

    Download the July 2026 Patch Tuesday Hunt Pack

    Three free Sigma rules for the exploited and high-signal flaws this cycle, including the exploited SharePoint CVE-2026-56164 and AD FS CVE-2026-56155. MIT licensed, no signup. Behavioral hunts, not exploit signatures. They import straight into Argillite and convert to Splunk, Microsoft Sentinel, Elastic, and QRadar with one command.

    Download Detection Pack (.yml)

    I do the same thing every Patch Tuesday, which is pull the list, sort it, and figure out what my team actually has to care about before anyone starts asking me. Tonight the list came back with 570 fixes on it. I have been doing this since 1994 and I have never typed that number before.

    Everybody is going to write about the 570. Ignore it for a minute, because the number is not the story.

    Here is the story. CVE-2026-56164 is a SharePoint flaw, missing authentication on a critical function, which lets an unauthorized attacker elevate privileges over the network. Microsoft says it is being exploited in attacks. Microsoft also rated it Moderate.

    We all know how triage actually works in a real shop. You sort by severity, you start at the top, and you work down until the window closes. So a Moderate lands underneath fifty-nine Criticals and quietly becomes next quarter’s problem, while the thing attackers are actually using today sits there untouched. That is not a Microsoft failure, that is what happens when we let a scoring formula do our thinking for us.

    Patch it. If you cannot patch it tonight, turn on AMSI and set Request Body Scan to Full, which Microsoft says will mitigate it.

    The other two zero-days

    CVE-2026-56155 is an AD FS elevation of privilege from insufficient granularity of access control, it is rated local, and Microsoft confirms it is being exploited.

    I want to talk about the word local for a second, because on an AD FS box it does not mean what your ticketing system thinks it means. That server holds your token signing keys. Anyone who gets on it can mint tokens for any user against any relying party you have ever configured, which means local privilege escalation on that host is a full federated identity compromise everywhere else. If you still run AD FS on-prem, and plenty of us do, it is a domain controller wearing a different hat. Treat it like one.

    CVE-2026-50661 is a BitLocker bypass that needs physical access, publicly disclosed and not yet exploited. I know, physical access, everybody scrolls past those. Do not scroll past this one. Your sales folks leave laptops in rental cars and Ubers, and every lost-device conversation you have ever had with an auditor quietly assumed BitLocker was holding the line.

    About that 570

    Microsoft told us last week where this came from, and they were straight about it. They are running an AI system across the Windows codebase to find flaws before attackers do, and that is the whole explanation for the number.

    I actually think that is Microsoft doing the right thing, and I want to say that plainly. Their engineering did not fall apart this month and researchers did not suddenly rediscover Windows. A machine read code at a speed no human review was ever going to match and it found what has been sitting quietly in the file system drivers and the media stack for years. Good. I would rather they find it than the other guys find it.

    But look at what that does to the rest of us. Discovery just got industrialized and remediation did not. Change control still meets on Thursdays, the window is still four hours long, and the same person is still doing the reboots. Microsoft can now find and ship at machine speed, and the receiving end of that pipeline is a human being with a spreadsheet and a production owner who will not give up the downtime.

    So the problem is not the 570, and the problem is not Microsoft. The problem is that most of us are running a remediation program built for 60 patches a month and telling ourselves it still works. It worked because the volume was survivable, not because the program was good. That is over now, and Microsoft has already said more is coming.

    What I would actually work first

    Sort by what an attacker can reach, then by what holds your identity, then everything else.

    DHCP is where I start, because CVE-2026-50518, CVE-2026-50370, CVE-2026-56159, and CVE-2026-48564 are all Critical RCE in a role that listens by default, runs privileged, parses whatever gets handed to it, and sits on the same wire as everything you care about.

    Then the network stack, which is CVE-2026-54999 in TCP/IP, CVE-2026-56188 in the server network driver, and CVE-2026-54995 and CVE-2026-54982 in RMCAST. These are the ones that go from patch to weaponized about as fast as somebody can diff them.

    Then WSUS, CVE-2026-50444, a Critical elevation of privilege on the box that pushes signed content to every Windows machine you own. Sit with that one for a second.

    Print Spooler is back again with CVE-2026-58608, Critical RCE, and it should not be running anywhere it does not have to be, which we have all been saying for years now. SQL Server has CVE-2026-54118 and CVE-2026-54117, Critical RCE, and that is where your data actually lives no matter what the asset inventory says.

    Virtualization is next with Hyper-V in CVE-2026-50680 and CVE-2026-54127, VMSwitch in CVE-2026-57092, and Secure Kernel Mode in CVE-2026-50392 and CVE-2026-42982. Once somebody is at the hypervisor layer every host underneath is just a file on a datastore, and we have watched that play out on engagements more than once.

    Identity is last on my list and it is not last in importance, and that is AD DS RCE in CVE-2026-49164, AD CS elevation of privilege in CVE-2026-54121, Netlogon in CVE-2026-50346, and Exchange spoofing in CVE-2026-55008. The AD CS one deserves more attention than it will get. Certificate abuse is still the quietest road to permanent domain compromise that we find in the field.

    One more worth your time is CVE-2026-58644 and CVE-2026-50522, both Critical SharePoint RCE, plus CVE-2026-55040, a Critical SharePoint bypass. Same product as an exploited zero-day, same month. Researchers and attackers are both reading that codebase right now.

    The rules

    A CVE list is homework and detection content is a control, and the gap between those two is where people get hurt.

    Microsoft has not published exploitation details for either of the exploited flaws, which is normal and expected, and it means what I am giving you here are behavioral hunts and not exploit signatures. They look for the outcome instead of the mechanics. They will fire on legitimate admin work in some environments, so tune them against your own baseline before you promote them out of a hunting queue.

    All three are Sigma and they import straight into Argillite. You can download the whole pack as a single .yml, or read them below.

    Rule 1 — Suspicious child process from a SharePoint IIS worker process (CVE-2026-56164)

    title: Suspicious Child Process from SharePoint IIS Worker Process
    id: 8f2b1c40-3d7e-4a91-b6c2-1e5a9d0f7c31
    status: experimental
    description: >
      Detects w3wp.exe hosting a SharePoint application pool spawning command
      interpreters or script hosts. Written as a post-exploitation hunt for
      CVE-2026-56164, a Microsoft SharePoint Server elevation of privilege flaw
      that Microsoft describes as missing authentication for a critical function,
      exploitable by an unauthorized attacker over the network, and confirmed
      exploited in attacks as of the July 2026 Patch Tuesday release. Microsoft
      has not published exploitation details, so this rule targets the outcome of
      successful exploitation rather than the delivery mechanism.
    references:
      - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56164
    author: James McMurry, ThreatHunter.ai
    date: 2026/07/14
    tags:
      - attack.initial_access
      - attack.t1190
      - attack.execution
      - attack.t1059.001
      - attack.t1059.003
      - attack.persistence
      - attack.t1505.003
      - cve.2026.56164
    logsource:
      category: process_creation
      product: windows
    detection:
      selection_parent:
        ParentImage|endswith: '\w3wp.exe'
        ParentCommandLine|contains:
          - 'SharePoint'
          - 'SecurityTokenServiceApplicationPool'
          - '_layouts'
      selection_child:
        Image|endswith:
          - '\cmd.exe'
          - '\powershell.exe'
          - '\pwsh.exe'
          - '\cscript.exe'
          - '\wscript.exe'
          - '\mshta.exe'
          - '\rundll32.exe'
          - '\regsvr32.exe'
          - '\certutil.exe'
          - '\bitsadmin.exe'
          - '\curl.exe'
          - '\net.exe'
          - '\net1.exe'
          - '\whoami.exe'
          - '\nltest.exe'
      filter_known_good:
        Image|endswith:
          - '\Microsoft Shared\Web Server Extensions\16\BIN\stsadm.exe'
          - '\Microsoft Shared\Web Server Extensions\15\BIN\stsadm.exe'
      condition: selection_parent and selection_child and not filter_known_good
    fields:
      - ComputerName
      - User
      - ParentCommandLine
      - CommandLine
      - IntegrityLevel
    falsepositives:
      - SharePoint timer jobs and provisioning workflows that legitimately shell out
      - Farm administrators running maintenance scripts through the web tier
      - Monitoring and backup agents that instrument the application pool
    level: high

    Rule 2 — AD FS service host anomalous behavior or token signing key access (CVE-2026-56155)

    title: AD FS Service Host Anomalous Behavior or Token Signing Key Access
    id: c47e9a12-6b83-4f52-9d0a-72c3b8e15f6d
    status: experimental
    description: >
      Detects child process execution from the AD FS service host and access to AD FS
      token signing material or configuration. Written as a post-exploitation hunt for
      CVE-2026-56155, an Active Directory Federation Services elevation of privilege
      flaw caused by insufficient granularity of access control, confirmed exploited
      in attacks in the July 2026 Patch Tuesday release. Successful exploitation on an
      AD FS server
      should be treated as a path to federated identity compromise, because control
      of the token signing key allows an attacker to mint tokens for any relying party.
    references:
      - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56155
    author: James McMurry, ThreatHunter.ai
    date: 2026/07/14
    tags:
      - attack.privilege_escalation
      - attack.t1068
      - attack.credential_access
      - attack.t1552.004
      - attack.t1606.002
      - attack.defense_evasion
      - cve.2026.56155
    logsource:
      category: process_creation
      product: windows
    detection:
      selection_adfs_child:
        ParentImage|endswith:
          - '\Microsoft.IdentityServer.ServiceHost.exe'
        Image|endswith:
          - '\cmd.exe'
          - '\powershell.exe'
          - '\pwsh.exe'
          - '\rundll32.exe'
          - '\regsvr32.exe'
          - '\mshta.exe'
          - '\net.exe'
          - '\net1.exe'
          - '\whoami.exe'
      selection_key_access:
        CommandLine|contains:
          - 'Get-AdfsCertificate'
          - 'Set-AdfsCertificate'
          - 'Export-AdfsDeploymentSQLScript'
          - 'Get-AdfsProperties'
          - 'Set-AdfsProperties'
          - 'Add-AdfsClient'
          - 'Set-AdfsClient'
          - 'Add-AdfsRelyingPartyTrust'
          - 'Set-AdfsRelyingPartyTrust'
          - 'Add-AdfsClaimsProviderTrust'
          - 'Update-AdfsCertificate'
          - 'Get-AdfsSslCertificate'
          - 'AdfsDkm'
      selection_dump_tooling:
        CommandLine|contains:
          - 'AADInternals'
          - 'Export-AADIntADFSSigningCertificate'
          - 'Get-AADIntADFSConfiguration'
          - 'ADFSDump'
      filter_known_good:
        User|contains:
          - 'ADFS_SVC'
        ParentImage|endswith:
          - '\SMSvcHost.exe'
      condition: (selection_adfs_child or selection_key_access or selection_dump_tooling) and not filter_known_good
    fields:
      - ComputerName
      - User
      - ParentImage
      - CommandLine
      - IntegrityLevel
    falsepositives:
      - Scheduled certificate rollover performed by farm administrators
      - Documented AD FS configuration changes during migration or onboarding work
      - Configuration management tooling that drives AD FS through PowerShell
    level: high

    Rule 3 — BitLocker protection disabled, suspended, or recovery key exposure (CVE-2026-50661)

    title: BitLocker Protection Disabled, Suspended, or Recovery Key Exposure
    id: 5a6d0e73-91cf-4b28-8e14-c0f7a2b6d493
    status: experimental
    description: >
      Detects BitLocker being disabled or suspended, boot configuration changes that
      weaken pre-boot integrity, and recovery key retrieval. Written as a defensive
      hunt around CVE-2026-50661, a publicly disclosed Windows BitLocker security
      feature bypass that allows an attacker with physical access to reach data on
      an encrypted system storage device, addressed in the July 2026 Patch Tuesday
      release. A pure offline physical attack will not generate host telemetry, so
      this rule covers the adjacent activity that precedes, enables, or follows such
      an attack, including insider staging and post-recovery tampering.
    references:
      - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50661
    author: James McMurry, ThreatHunter.ai
    date: 2026/07/14
    tags:
      - attack.defense_evasion
      - attack.t1562.001
      - attack.t1542.001
      - attack.credential_access
      - attack.t1555
      - cve.2026.50661
    logsource:
      category: process_creation
      product: windows
    detection:
      selection_managebde:
        Image|endswith: '\manage-bde.exe'
        CommandLine|contains:
          - '-off'
          - '-protectors -disable'
          - '-pause'
          - '-recoverypassword'
          - '-forcerecovery'
      selection_powershell:
        CommandLine|contains:
          - 'Disable-BitLocker'
          - 'Suspend-BitLocker'
          - 'Get-BitLockerVolume'
          - 'BackupToAAD-BitLockerKeyProtector'
          - 'Remove-BitLockerKeyProtector'
      selection_bcdedit:
        Image|endswith: '\bcdedit.exe'
        CommandLine|contains:
          - 'testsigning'
          - 'nointegritychecks'
          - 'bootstatuspolicy'
          - 'recoveryenabled'
          - 'safeboot'
          - '/set {bootmgr}'
      selection_reagentc:
        Image|endswith: '\reagentc.exe'
        CommandLine|contains:
          - '/disable'
          - '/setosimage'
          - '/boottore'
      filter_known_good:
        ParentImage|endswith:
          - '\TrustedInstaller.exe'
          - '\CcmExec.exe'
          - '\MsiExec.exe'
      condition: 1 of selection_* and not filter_known_good
    fields:
      - ComputerName
      - User
      - ParentImage
      - CommandLine
    falsepositives:
      - Firmware and BIOS updates that legitimately suspend BitLocker for one reboot
      - Imaging, provisioning, and OS upgrade workflows driven by SCCM or Intune
      - Help desk staff performing authorized recovery on a locked out user
    level: medium

    Homework

    Two of these are being exploited right now and one of them is rated Moderate, and that is the part I want you to take out of tonight.

    Patch AD FS. Mitigate SharePoint, AMSI on, Request Body Scan Full. Get DHCP and the domain controllers scheduled this week. Read the exploited list before the Critical list. Then work the rest by what is reachable and what holds your keys.

    And then go have the harder conversation with your leadership, because you are not getting through 570 a month and you are not getting through the next one either. You do not need another blinking product to fix that. You need to stop believing that a severity rating describes your risk, because right now the flaw everybody is skipping is the one already walking around inside somebody’s network.

    I put the three rules above. Import them, tune them, and come find me at VETCON if you want to argue about them.

    Questions on this advisory or prioritization guidance for your environment? Contact your ThreatHunter.ai analyst or reach us at support@threathunter.ai.