// #threat-hunting
9 articles
Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise
With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation — the forensic indicators are specific and searchable.
Citrix NetScaler CVE-2026-3055 Forensics: Post-Exploitation Detection for SAML IDP Compromise
With large-scale exploitation of CVE-2026-3055 confirmed as of 28 May, NetScaler ADC deployments that were internet-accessible while unpatched must be assessed for compromise. The SAML memory overread can leak session tokens and signing key material — understanding the forensic footprint helps determine whether compromise occurred.
UniFi OS Bulletin 064 Post-Disclosure Forensics: Detecting Compromise on Ubiquiti Controllers
Two days after Ubiquiti published Security Bulletin 064 with three CVSS 10.0 vulnerabilities, security teams should be confirming that patches have applied and hunting for indicators of pre-patch compromise. This guide covers the specific log sources, indicators, and commands available on UniFi OS devices for detecting exploitation activity.
GlobalProtect CVE-2026-0257 Compromise Indicators: Threat Hunting and Forensic Guide for VPN Gateway Authentication Bypass
Organisations running PAN-OS GlobalProtect gateways on versions vulnerable to CVE-2026-0257 must investigate for compromise during the exposure window, not just apply the patch. This guide covers the specific log sources, indicators of compromise, and post-exploitation patterns to hunt for on PAN-OS GlobalProtect gateways after an authentication bypass zero-day.
Exchange CVE-2026-42897 One Week On: Active Exploitation Continues, No Patch Available — Updated Guidance
Microsoft Exchange Server's OWA session hijacking zero-day CVE-2026-42897 entered its second week without a permanent patch. Microsoft's Emergency Mitigation Service (EEMS) rule remains the only automated protection for Exchange Online-connected on-premises environments. Security teams should now focus on identifying whether exploitation occurred during the disclosure week and verifying their mitigation status.
Cisco SD-WAN CVE-2026-20182 Post-Compromise Forensics: Identifying Rogue Device Injection in Catalyst SD-WAN Deployments
CVE-2026-20182, the CVSS 10.0 Cisco Catalyst SD-WAN Manager zero-day added to CISA KEV on 14 May, was exploited before Cisco released the patch. Organisations that ran vManage on publicly accessible addresses during the exposure window must now forensically audit their SD-WAN device inventory and API authentication logs for signs of rogue device registration and traffic interception.
Exchange CVE-2026-42897 Threat Hunting Guide: Identifying Session Hijacking in OWA Logs
With no patch available for the actively exploited Exchange OWA session hijacking zero-day, security teams must hunt for existing compromise rather than waiting for a fix. This guide covers the specific log sources, KQL queries, and behavioural indicators that reveal CVE-2026-42897 exploitation in on-premises Exchange and Microsoft 365 hybrid environments.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
CISA Supplemental Direction ED 26-03: How to Hunt for Compromise in Cisco Catalyst SD-WAN
CISA has issued supplemental hunt-and-hardening guidance for Cisco Catalyst SD-WAN systems under Emergency Directive 26-03, providing defenders with specific indicators to look for in environments exposed to CVE-2026-20127 — a CVSS 10.0 authentication bypass exploited since 2023. Organisations running Cisco SD-WAN infrastructure should treat this guidance as a mandatory compromise assessment checklist.