πŸ›‘οΈ SecOps

Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise

With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation β€” the forensic indicators are specific and searchable.

4 min read
#netlogon#cve-2026-41089#active-directory#forensics#threat-hunting#golden-ticket#domain-controller#incident-response

Patching domain controllers for CVE-2026-41089 addresses the vulnerability but does not answer the question that matters most for already-exposed environments: was the vulnerability exploited before the patch was applied? This guide covers the detection indicators and investigation steps for CVE-2026-41089 post-exploitation on Windows Active Directory domain controllers.

Exploitation Indicators on the Domain Controller

Successful CVE-2026-41089 exploitation executes attacker code as SYSTEM on the DC. The initial exploitation event may not generate obvious log entries, but the post-exploitation activity almost always does.

Windows Security Log β€” Event ID 4688 (Process Creation): Look for unusual processes spawned by the Netlogon service (netlogon.exe as parent) or by lsass.exe (which the attacker may use as a process injection target after achieving SYSTEM):

Get-WinEvent -ComputerName <DC> -FilterHashtable @{
    LogName='Security'
    Id=4688
    StartTime=(Get-Date).AddDays(-7)
} | Where-Object { $_.Properties[13].Value -match 'netlogon|lsass' } | 
Select-Object TimeCreated, @{N='NewProcess';E={$_.Properties[5].Value}}, @{N='ParentProcess';E={$_.Properties[13].Value}}

Windows Security Log β€” Event ID 4624/4625 (Logon/Logon Failure): Exploitation attempts generate authentication events. A stack of rapid 4625 failures followed by a 4624 success from an external IP is a strong exploitation indicator:

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=@(4624,4625)
    StartTime=(Get-Date).AddDays(-7)
} | Where-Object { $_.Properties[18].Value -notmatch '^(10\.|172\.|192\.168\.)' -and $_.Properties[18].Value -ne '-' } |
Group-Object { $_.Properties[18].Value } |
Where-Object { $_.Count -gt 10 }

Windows System Log β€” Event ID 7045 (New Service Installed): Post-exploitation persistence often involves installing a malicious service:

Get-WinEvent -FilterHashtable @{
    LogName='System'
    Id=7045
    StartTime=(Get-Date).AddDays(-7)
} | Select-Object TimeCreated, @{N='ServiceName';E={$_.Properties[0].Value}}, @{N='ImagePath';E={$_.Properties[1].Value}}

Privilege Abuse Indicators

New Domain Admin accounts:

# Check for accounts created in the last 7 days that are members of privileged groups
$cutoff = (Get-Date).AddDays(-7)
Get-ADGroupMember 'Domain Admins' | ForEach-Object {
    $user = Get-ADUser $_ -Properties WhenCreated
    if ($user.WhenCreated -gt $cutoff) {
        Write-Output "SUSPICIOUS: $($user.SamAccountName) added to Domain Admins on $($user.WhenCreated)"
    }
}

Golden Ticket indicators: A Golden Ticket (forged Kerberos TGT using the domain’s krbtgt hash) produces authentication events with specific anomalies. Look for Kerberos TGT tickets with:

  • Ticket lifetime exceeding the domain policy maximum (Event ID 4769 with long-lived tickets)
  • Ticket requesting service access from an IP address inconsistent with the account’s normal logon location
  • The KRBTGT account password change (Event ID 4723) β€” responders typically change the krbtgt password twice as part of DC compromise remediation; if you see this event recently and your team did not initiate it, it may indicate attacker covering tracks

Network-Level Detection

If your environment logs SMB traffic or has a network detection/response (NDR) solution, look for:

  • NetrLogonSendToSam calls from unexpected sources to domain controller TCP 445
  • Large-volume SMB negotiation attempts from single IP addresses (scanning behaviour)
  • TCP 445 connections from external IP addresses to DC addresses (if perimeter rules should prevent this but the traffic reached the DC)

LSASS Memory Dump Detection

Post-exploitation, attackers typically dump LSASS memory to extract credentials. Event ID 10 from Sysmon (process access) with GrantedAccess rights including 0x1fffff (full process access) targeting lsass.exe from unexpected processes is a primary indicator:

# Requires Sysmon event logging
Get-WinEvent -FilterHashtable @{
    LogName='Microsoft-Windows-Sysmon/Operational'
    Id=10
    StartTime=(Get-Date).AddDays(-7)
} | Where-Object { $_.Properties[5].Value -match 'lsass' -and $_.Properties[8].Value -match '0x1fffff|0x143a|0x1010' }

If Compromise Is Confirmed

Active Directory compromise requires a structured response beyond patching:

  1. Isolate the compromised DC from the network β€” do not shut down, as this destroys volatile forensic evidence
  2. Preserve forensic evidence: Take a memory image and disk snapshot before any remediation
  3. Identify all privileged access that occurred from the compromise time to discovery
  4. Rotate krbtgt twice (with 10+ hours between rotations to allow ticket expiry)
  5. Rotate all service account passwords and review all service principal names
  6. Engage IR support β€” a confirmed AD domain compromise is typically a major incident requiring specialist response

Share this article