Background
CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon service rated CVSS 9.8. An unauthenticated attacker with network access to TCP 135 (RPC endpoint mapper) or the dynamic RPC port range on a domain controller can send a malformed NRPC request that overflows a fixed-size stack buffer, redirecting execution to attacker-controlled shellcode running as SYSTEM — before any authentication exchange occurs.
Belgium’s Centre for Cybersecurity confirmed active exploitation on 29 May 2026, seventeen days after Microsoft patched the vulnerability in the May 2026 Patch Tuesday release. CISA KEV addition is expected imminently.
The patch is the only complete remediation. This guide covers detection layers for organisations that cannot patch immediately, and post-exploitation monitoring for all environments regardless of patch status.
What to Detect
The exploitation path has three detection opportunities:
- Pre-exploit: anomalous NRPC traffic — oversized or malformed Netlogon RPC packets reaching a domain controller from unexpected sources
- Exploitation: SYSTEM-level shellcode execution spawned from the Netlogon service (
lsass.exeornetlogon.exespawning unexpected child processes) - Post-exploitation: AD manipulation — privileged account creation, GPO modification, NTDS.DIT access, Golden Ticket issuance
Network-Layer Detection (Suricata/Snort)
Exploitation involves a malformed NRPC packet significantly exceeding normal parameter sizes. The following Suricata rule concept flags oversized payloads directed at domain controller RPC ports:
alert tcp any any -> $DC_HOSTS [135,49152:65535] (
msg:"CVE-2026-41089 Netlogon RPC Overflow Attempt — Oversized Payload";
flow:established,to_server;
content:"|05|";
offset:0;
depth:1;
dsize:>4096;
threshold:type limit, track by_src, count 1, seconds 60;
classtype:attempted-admin;
reference:cve,2026-41089;
sid:20260001;
rev:1;
)
Note: This rule is intentionally broad. Refine the dsize threshold after baselining normal NRPC packet sizes in your environment (legitimate domain join/auth traffic rarely exceeds 1500 bytes). Your IDS vendor’s CVE-specific signature feed will have protocol-aware rules with lower false-positive rates.
Define $DC_HOSTS as a host group containing all domain controller IP addresses — do not apply this rule to the entire network.
Sigma Rules
Rule 1: Unexpected Child Process from Netlogon or LSASS
Successful exploitation of the pre-authentication buffer overflow results in shellcode executing within the Netlogon service context. The attacker’s first action is typically to spawn a new process (cmd.exe, PowerShell, or a staged loader). This is highly abnormal — these processes should not spawn child processes under any legitimate operating conditions.
title: Suspicious Process Spawned by Netlogon or LSASS Service
id: a7f3e821-cc4d-4b2e-9d1a-8e5c3f0b6d92
status: experimental
description: Detects a child process spawned directly by lsass.exe or by a process with the Netlogon service name, which may indicate successful exploitation of CVE-2026-41089 or similar pre-auth RCE vulnerabilities in authentication services.
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
author: SOC Analyst Hub
date: 2026/06/05
tags:
- attack.execution
- attack.t1210
- cve.2026-41089
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\lsass.exe'
selection_services:
ParentImage|endswith:
- '\svchost.exe'
ParentCommandLine|contains:
- 'Netlogon'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\regsvr32.exe'
condition: (selection_parent or selection_services) and selection_child
falsepositives:
- Highly unlikely for lsass.exe; monitor for any output and tune aggressively
level: critical
Rule 2: NTDS.DIT Access on Domain Controller
Post-exploitation, attackers frequently attempt to extract the NTDS.DIT file — the Active Directory database containing all domain password hashes. This should trigger on any access to the file outside of ntdsai.dll/ntdsa.dll context.
title: NTDS.DIT File Accessed by Non-System Process on Domain Controller
id: b9c1d432-aa5e-4f3c-8b2e-7a4d6e0c9f01
status: experimental
description: Detects file access to NTDS.DIT by any process other than expected Windows AD processes. On a compromised DC, attackers access this file directly or via VSS shadow copies to extract all domain credential hashes.
references:
- https://attack.mitre.org/techniques/T1003/003/
author: SOC Analyst Hub
date: 2026/06/05
tags:
- attack.credential_access
- attack.t1003.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|contains: '\ntds.dit'
filter_system:
SubjectUserName|endswith: '$'
ProcessName|endswith:
- '\lsass.exe'
- '\ntdsai.dll'
- '\ntdsa.dll'
condition: selection and not filter_system
falsepositives:
- Legitimate AD backup solutions (Veeam, Windows Server Backup) — allowlist their service account names
level: high
Rule 3: GPO Modification Following Anomalous DC Activity
Post-exploitation, ransomware operators and APT actors both modify Group Policy Objects to push payloads or establish persistence. Event ID 5136 captures DS object changes.
title: Group Policy Object Modified — Potential Post-Exploitation Persistence
id: c2d4e543-bb6f-5g4d-9c3f-8b5e7f1d0g13
status: experimental
description: Detects modification of Group Policy Objects (GPO) via DS object change events. In post-exploitation scenarios on compromised domain controllers, attackers modify GPOs to push ransomware loaders, create privileged accounts, or disable security controls domain-wide.
references:
- https://attack.mitre.org/techniques/T1484/001/
author: SOC Analyst Hub
date: 2026/06/05
tags:
- attack.defense_evasion
- attack.t1484.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5136
ObjectClass: groupPolicyContainer
AttributeLDAPDisplayName:
- gPCFileSysPath
- gPCMachineExtensionNames
- gPCUserExtensionNames
- versionNumber
filter_expected:
SubjectUserName|endswith: '$'
condition: selection and not filter_expected
falsepositives:
- Planned GPO changes by authorized administrators — correlate with change management records
level: high
Windows Audit Policy Prerequisites
These detections require specific audit policies to be enabled on domain controllers:
# Enable required audit subcategories
AuditPol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
AuditPol /set /subcategory:"Account Management" /success:enable /failure:enable
AuditPol /set /subcategory:"File System" /success:enable /failure:enable
# Verify current state
AuditPol /get /subcategory:"Directory Service Changes"
AuditPol /get /subcategory:"File System"
Also configure SACL (System Access Control List) on %SystemRoot%\NTDS\ntds.dit to trigger Event ID 4663 on read access.
Triage: If You See These Alerts Fire
If Rule 1 fires (child process from LSASS), treat it as a confirmed compromise and initiate incident response immediately — there is no benign explanation for this event on a production domain controller. Isolate the DC from the network before attempting forensic collection; a compromised DC can authenticate forged Kerberos tickets until it is isolated.
If Rules 2 or 3 fire, correlate with network logs for anomalous NRPC traffic in the preceding 30 minutes. Check:
# Recent privileged account creation on this DC
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720,4728,4732; StartTime=(Get-Date).AddHours(-2)} |
Select-Object TimeCreated, Message | Format-List
Patch Verification
Patching remains the only complete remediation. Verify all domain controllers are patched:
Invoke-Command -ComputerName (Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName) -ScriptBlock {
$hotfixes = Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 3
[PSCustomObject]@{
Hostname = $env:COMPUTERNAME
OS = (Get-WmiObject Win32_OperatingSystem).Caption
LastPatch = $hotfixes[0].InstalledOn
RecentKBs = ($hotfixes | ForEach-Object { $_.HotFixID }) -join ', '
}
} | Format-Table -AutoSize
MITRE ATT&CK Coverage
| Technique | ID | Detection |
|---|---|---|
| Exploit Public-Facing Application / Remote Services | T1210 | Network rule + Rule 1 |
| OS Credential Dumping: NTDS | T1003.003 | Rule 2 |
| Domain Policy Modification: Group Policy | T1484.001 | Rule 3 |
| Account Creation | T1136.002 | Event ID 4720 monitoring |