CVE-2026-41089: MITRE ATT&CK Mapping, SIEM Queries, and Domain Controller Hardening
Jun 11, 2026
CVE-2026-41089: MITRE ATT&CK Mapping, SIEM Queries, and Domain Controller Hardening
The final part of this series maps CVE-2026-41089's full attack chain to MITRE ATT&CK, provides production-ready SIEM queries across all major platforms, documents the log sources and behavioral indicators your SOC needs, and delivers a prioritized Domain Controller hardening checklist that addresses this vulnerability class at the architectural level — not just this CVE.
MITRE ATT&CK Mapping
CVE-2026-41089 maps across multiple ATT&CK tactics depending on how far the attacker progresses. The DoS path covers three tactics reliably. Full RCE, if achieved, extends through seven. Each technique below is directly tied to an observable stage in the attack chain.
| Tactic | Technique | ID | CVE-2026-41089 Context |
|---|---|---|---|
| Reconnaissance | Active Scanning: Scanning IP Blocks | T1595.001 | Scanning for UDP 389 across Internet-exposed or DMZ-reachable IP ranges to identify active domain controllers before sending the exploit packet |
| Reconnaissance | Gather Victim Network Information: Network Topology | T1590.004 | Sending a benign CLDAP ping to collect DNS domain name length — the prerequisite check before committing the overflow packet |
| Initial Access | Exploit Public-Facing Application | T1190 | Direct exploitation of the CLDAP DC locator handler in netlogon.dll on an
Internet-accessible or DMZ-reachable domain controller |
| Execution | Exploitation for Client Execution | T1203 | Triggering code execution via the stack buffer overflow — attacker-controlled execution in LSASS context if RCE is achieved beyond the DoS stage |
| Persistence | Create Account: Domain Account | T1136.002 | Post-RCE creation of new privileged domain accounts (Domain Admin, Enterprise Admin) for persistent access that survives reboots and credential resets |
| Persistence | Scheduled Task / Job | T1053 | Scheduled tasks or WMI subscriptions installed on DC systems post-exploitation for persistent code execution |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | The buffer overflow itself — escalating from network-adjacent unauthenticated attacker to SYSTEM-level code execution inside LSASS on the domain controller |
| Defense Evasion | Rogue Domain Controller (DCShadow) | T1207 | Registering a rogue DC to inject unauthorized changes into Active Directory replication stream, bypassing normal AD audit logging |
| Credential Access | OS Credential Dumping: DCSync | T1003.006 | Using LSASS execution context to perform DCSync and extract all domain credential hashes including the
krbtgt secret without touching individual endpoint machines
|
| Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 | Direct access to LSASS memory from within the same process context — extracts every password hash and Kerberos ticket active on that DC at the time of exploitation |
| Lateral Movement | Use Alternate Authentication Material: Pass the Ticket | T1550.003 | Forging Golden Tickets using the stolen krbtgt hash — tickets valid for 10+ years by
default, surviving domain-wide password resets, enabling forest-wide lateral movement |
| Lateral Movement | Exploitation of Remote Services | T1210 | Using Golden Ticket or extracted credentials to move laterally from the compromised DC into other systems across domain trusts and subsidiary environments |
| Impact | Network Denial of Service | T1498 | The primary weaponized outcome today — crashing LSASS causes a ~60-second domain-wide authentication outage; repeatable on demand with zero credentials |
| Impact | Data Encrypted for Impact | T1486 | Ransomware deployment via Group Policy Object modification — GPO gives the attacker a single-operation push mechanism across every domain-joined machine simultaneously |
ATT&CK Navigator Coverage — DoS Path vs. Full RCE Path
| Path | Tactics Covered | Techniques | Reliability |
|---|---|---|---|
| DoS path (confirmed today) | Reconnaissance → Initial Access → Impact | T1595.001, T1590.004, T1190, T1498 | High — public PoC, in-the-wild confirmed |
| Full RCE path (theoretical) | Reconnaissance → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Lateral Movement → Impact | All 14 techniques above | Low — GS cookie barrier; not yet seen at scale |
Log Sources: What You Need Enabled
Detection coverage across this attack chain requires log sources that are not enabled by default on Windows Server. Verify these are active on every domain controller before relying on any of the SIEM queries below.
| Log Source | Key Events | Enabled by Default? | Enables Detection Of |
|---|---|---|---|
| Windows Application Event Log | Event ID 1000 (LSASS crash) | Yes | Primary exploit trigger — LSASS crash with netlogon.DLL faulting module,
exception 0xc0000409 |
| Windows System Event Log | Event IDs 1074, 6006, 6008 (reboot/shutdown) | Yes | Unexpected DC reboots; correlate with Application log crash events |
| Windows Security Event Log | Event IDs 4624, 4662, 4720, 4728, 4732, 4768, 4769, 4771, 4776 | Partial — advanced audit policy required for 4662, 4728 | DCSync replication rights abuse, privileged account creation, Kerberos anomalies, NTLM failures post-crash |
| Sysmon (Event IDs 1, 3, 10) | EID 1 (Process Creation), EID 3 (Network Connection), EID 10 (Process Access) | No — requires Sysmon deployment | LSASS child process spawning (post-RCE), outbound connections from LSASS, process injection into LSASS memory |
| Netlogon Debug Log | All CLDAP request/response details | No — requires nltest /dbflag:0x2080ffff |
Oversized Username attributes in CLDAP pings; NtVer value anomalies; attacker reconnaissance activity |
| Network IDS/IPS (Suricata / Zeek) | UDP 389 payload inspection | No — requires sensor deployment on DC network segments | Exploit packet detection (oversized User attribute, NtVer = 0x02000000); pre-crash network indicators |
| RPC Audit Logs | Netlogon RPC endpoint access | No — requires RPC filtering configuration on DCs | Unauthorized Netlogon RPC connections from non-domain-member hosts |
| DNS / AD Replication Logs | New replication partner registrations | Partial | DCShadow attack — rogue DC registration in AD Sites and Services |
SIEM Queries: Full Coverage Across Platforms
Splunk
# ── QUERY 1: LSASS crash from netlogon.DLL overflow ────────────────────── index=wineventlog source="WinEventLog:Application" EventID=1000 Process_Name="lsass.exe" Module_Name="netlogon.DLL" Exception_Code="0xc0000409" | eval risk="CRITICAL - CVE-2026-41089 candidate" | table _time, host, Process_Name, Module_Name, Exception_Code, risk # ── QUERY 2: Unexpected DC reboot (no prior maintenance window event) ──── index=wineventlog source="WinEventLog:System" (EventID=1074 OR EventID=6008) | eval reboot_type=if(EventID=6008,"Unexpected shutdown","Admin/patch reboot") | table _time, host, EventID, reboot_type, Message # ── QUERY 3: LSASS child process (post-RCE signal) ─────────────────────── index=sysmon EventCode=1 ParentImage="*\\lsass.exe" | eval risk="CRITICAL - Abnormal LSASS child process" | table _time, host, Image, ParentImage, CommandLine, User, risk # ── QUERY 4: Outbound network from LSASS (post-RCE signal) ────────────── index=sysmon EventCode=3 Image="*\\lsass.exe" NOT dest_ip IN ("127.0.0.1","::1") | eval risk="CRITICAL - LSASS outbound connection" | table _time, host, Image, dest_ip, dest_port, risk # ── QUERY 5: DCSync — DS-Replication-Get-Changes-All abuse ────────────── index=wineventlog source="WinEventLog:Security" EventID=4662 Object_Type="*domainDNS*" Access_Mask="0x100" NOT SubjectUserName IN ("*$","MSOL_*","AADConnect*") | eval risk="HIGH - Possible DCSync / credential harvest" | table _time, host, SubjectUserName, Object_Name, Access_Mask, risk # ── QUERY 6: Privileged group change outside business hours ────────────── index=wineventlog source="WinEventLog:Security" EventID IN (4728, 4732, 4756) | eval hour=strftime(_time,"%H") | where hour < 8 OR hour > 18 | eval risk="HIGH - Off-hours privileged group modification" | table _time, host, SubjectUserName, MemberName, GroupName, risk # ── QUERY 7: Domain-wide 60s auth failure spike (DoS pattern) ─────────── index=wineventlog source="WinEventLog:Security" EventID IN (4771, 4776) | timechart span=10s count AS auth_failures by host | where auth_failures > 50
Elastic / KQL
# ── LSASS crash with netlogon faulting module ───────────────────────────── event.code:1000 AND process.name:lsass.exe AND winlog.event_data.ModuleName:*netlogon* AND winlog.event_data.ExceptionCode:0xc0000409 # ── LSASS child process spawned ────────────────────────────────────────── event.code:1 AND process.parent.name:lsass.exe AND NOT process.name:(csrss.exe OR wininit.exe OR services.exe) # ── Outbound connection from LSASS ─────────────────────────────────────── event.code:3 AND process.name:lsass.exe AND NOT destination.ip:(127.0.0.1 OR "::1" OR "0:0:0:0:0:0:0:1") # ── DCSync replication rights access ───────────────────────────────────── event.code:4662 AND winlog.event_data.ObjectType:*domainDNS* AND winlog.event_data.AccessMask:0x100 AND NOT winlog.event_data.SubjectUserName:(*$ OR MSOL_*) # ── Unexpected DC reboot ────────────────────────────────────────────────── event.code:(1074 OR 6008) AND winlog.channel:System
Microsoft Sentinel (KQL)
// ── LSASS crash with netlogon.DLL faulting module ──────────────────────── SecurityEvent | where EventID == 1000 | where CommandLine has "lsass.exe" and CommandLine has "netlogon.DLL" and CommandLine has "0xc0000409" | project TimeGenerated, Computer, CommandLine | extend Risk = "CRITICAL - CVE-2026-41089 candidate" // ── DCSync: DS-Replication-Get-Changes-All from non-DC account ─────────── SecurityEvent | where EventID == 4662 | where ObjectType contains "domainDNS" | where AccessMask == "0x100" | where SubjectUserName !endswith "$" | where SubjectUserName !startswith "MSOL_" | project TimeGenerated, Computer, SubjectUserName, ObjectName | extend Risk = "HIGH - DCSync / krbtgt harvest candidate" // ── Off-hours privileged group modification ─────────────────────────────── SecurityEvent | where EventID in (4728, 4732, 4756) | where hourofday(TimeGenerated) !between (8 .. 18) | project TimeGenerated, Computer, SubjectUserName, MemberName, TargetUserName | extend Risk = "HIGH - Off-hours privileged group change" // ── Auth failure spike (60s window DoS detection) ──────────────────────── SecurityEvent | where EventID in (4771, 4776) | summarize FailureCount = count() by bin(TimeGenerated, 10s), Computer | where FailureCount > 50 | extend Risk = "MEDIUM - Possible DC authentication outage" // ── Kerberos ticket anomaly: TGS without preceding TGT on same host ────── let tgt_requests = SecurityEvent | where EventID == 4768 | project TGT_Time=TimeGenerated, TGT_Host=Computer, TGT_User=TargetUserName; let tgs_requests = SecurityEvent | where EventID == 4769 | project TGS_Time=TimeGenerated, TGS_Host=Computer, TGS_User=TargetUserName; tgs_requests | join kind=leftanti tgt_requests on $left.TGS_User == $right.TGT_User | where TGS_Time > ago(1h) | extend Risk = "HIGH - TGS without TGT - possible Golden Ticket use"
Domain Controller Hardening: Prioritized Checklist
The following controls address CVE-2026-41089 directly and harden DCs against the full class of pre-authentication Netlogon attacks — not just this CVE. Controls are organized by implementation priority.
P1 — Patch all DCs in the same window
IMMEDIATE
Apply KB5089549 (May 2026 Patch Tuesday) to all domain controllers simultaneously. Verify with
wmic qfe get HotFixID | findstr KB5089549 and SHA-256 hash check on
netlogon.dll. A forest with one unpatched DC is still a fully exploitable forest.
P1 — Block UDP 389 from untrusted sources
IMMEDIATE
Apply Windows Firewall Advanced Security rules and perimeter/internal firewall policy to restrict CLDAP
(UDP 389) inbound to domain-joined hosts and explicitly approved management subnets. Block unconditionally
from any Internet-facing or DMZ address. This eliminates the external attack vector entirely.
P1 — Enable Sysmon with LSASS process rules on all DCs
IMMEDIATE
Deploy Sysmon with rules capturing Event ID 1 (child processes of
lsass.exe), Event ID 3
(outbound connections from lsass.exe), and Event ID 10 (process access to
lsass.exe). These are the only reliable detection signals for post-RCE activity in LSASS
context. Windows Application Event Log alone is insufficient.
P1 — Enable Advanced Audit Policy for DC Security Events
IMMEDIATE
Configure via Group Policy: Computer Configuration → Windows Settings → Security Settings →
Advanced Audit Policy. Enable: DS Access (4662 — Directory Service Access), Account Management
(4720, 4728, 4732, 4756), Account Logon (4768, 4769, 4771, 4776), and System (4609 — shutdown events).
Without DS Access auditing, DCSync attacks are invisible in Security logs.
P2 — Network micro-segmentation for DC communication
HIGH
Enforce zone boundaries so no host outside a defined DC management subnet can reach DCs on UDP 389,
TCP 445 (SMB), TCP 135 (RPC endpoint mapper), or Netlogon RPC dynamic ports. East-west DC access should
be allow-listed only for domain members, admin jump boxes, and backup agents — deny-by-default for
everything else. Flat networks where any host can reach any DC are the highest-risk configuration.
P2 — Tier 0 / Privileged Access Workstation (PAW) architecture
HIGH
Enforce strict AD tiering: Tier 0 assets (DCs, AD Connect, PKI) must only be administered from dedicated
PAWs. Credential material from Tier 1 and Tier 2 systems must never be present on domain controllers.
Any compromise that lands credential access to a DC should not be reachable from a normal workstation
or admin laptop.
P2 — Windows Credential Guard on all DCs
HIGH
Credential Guard isolates credential material using virtualization-based security (VBS), placing NTLM
hashes and Kerberos TGTs in a protected container inaccessible from the LSASS process. Even if an
attacker achieves code execution in LSASS context, Credential Guard prevents direct credential extraction
from memory. Requires UEFI 2.3.1+, Secure Boot, and VT-x/AMD-V. Enable via GPO:
Computer Configuration → Administrative Templates → System → Device Guard.
P2 — LSASS Protected Process Light (PPL)
HIGH
PPL prevents non-protected processes from accessing LSASS memory via
OpenProcess calls.
Enable via registry on Server 2022+:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa → RunAsPPL = 2.
Combined with Credential Guard, this significantly raises the bar for any post-exploitation credential
extraction attempt against LSASS.
P2 — Permanent CLDAP anomaly detection rules in SIEM / NDR
HIGH
Integrate the Suricata rules and Splunk/Elastic/Sentinel queries above as permanent detection rules,
not temporary CVE-specific alerts. Oversized CLDAP Username attributes and non-standard NtVer values
are anomalous regardless of CVE. Make CLDAP abuse detection a standing capability that catches future
Netlogon vulnerabilities before they have names.
P2 — DC reboot as a security trigger in SOC runbooks
HIGH
Any unexpected domain controller reboot outside a change-management window should automatically open a
security investigation ticket, not just an infrastructure alert. The 60-second authentication blackout
caused by this exploit is a specific, detectable pattern. Ensure your NOC/SOC has runbooks that treat
unexplained DC reboots as candidate security incidents correlated with Event ID 1000 + netlogon crash
evidence.
P3 — Migrate off EoL Windows Server (2008 R2, 2012)
PLANNED
ESU and 0patch coverage for Server 2008 R2 and 2012 is finite and narrowing. Every Netlogon CVE since
2020 has hit these versions. Plan and execute migration to Server 2022 or 2025. ESU-covered systems
running as DCs are a permanent liability — not a stable long-term posture.
P3 — Patch SLA policy for pre-auth DC vulnerabilities
PLANNED
Formalize a separate patch SLA for domain controllers with pre-authentication critical vulnerabilities:
24–72 hours from Patch Tuesday, not the standard 30-day enterprise cycle. Integrate DC patch compliance
into real-time dashboards using Microsoft Defender for Endpoint, Automox, Qualys, or Tenable. Generate
alerts the moment any critical DC falls out of compliance.
P3 — IPsec policy and RPC filtering on Netlogon endpoints
PLANNED
Apply IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) policies requiring an
authenticated IPsec Security Association before Netlogon RPC endpoints are accessible. Use RPC filters
via
netsh rpc filter to restrict which callers can invoke Netlogon RPC methods. These
controls add operational complexity but ensure only authenticated, domain-member hosts can exercise
Netlogon at all.
Chaining Risk: Two-Stage Attack Model
Full RCE from CVE-2026-41089 alone remains difficult. In practice, the more dangerous scenario is a chained attack where the DoS capability serves as an operational tool enabling a separate compromise vector.
| Chain Stage | CVE-2026-41089 Role | Secondary Vector | Net Outcome |
|---|---|---|---|
| Cover + distraction | Crash primary DC, create 60s auth blackout | Credential stuffing, token replay, or lateral movement during blackout window — blamed on "infrastructure issues" | Parallel attack succeeds without triggering auth-anomaly detections |
| Failover targeting | Crash primary DC to force failover to secondary | Target secondary DC if it is unpatched, less monitored, or hosts weaker EDR coverage | Exploit the weaker node that comes online under load |
| NTLM fallback abuse | Repeatedly crash Kerberos-serving DC to force NTLM fallback | NTLM relay attack against services that fall back to NTLM when Kerberos fails | Credential capture via NTLM relay without touching the DC directly |
| Ransomware staging | DoS used for extortion leverage or GPO deployment window | Ransomware deployed via GPO if DC access is obtained through a separate vector | Organization-wide encryption in a single GPO push |
SecPod Coverage
| Capability | CVE-2026-41089 Coverage |
|---|---|
| Vulnerability Detection | OVAL-based checks for all affected Windows Server versions; build number and KB presence
validation; netlogon.dll version and hash verification |
| Patch Assessment | Saner platform identifies unpatched domain controllers across the environment and flags KB5089549 absence as critical-priority remediation |
| Remediation Guidance | Patch deployment automation for supported Windows Server versions via Saner; EoL system migration advisory workflow |
This concludes the CVE-2026-41089 four-part research series. The patch is available. Exploitation is confirmed and ongoing. Every domain controller running a vulnerable build with UDP 389 reachable is one packet away from a domain-wide authentication outage — from anyone, with no credentials, no prior access, and no warning.
Parts 1–3 cover the vulnerability mechanics, PoC analysis, and patch/IOC/detection guidance respectively.