KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2026 41096 DNS Exploit With LOLBAS Execution

Query

# *CVE-2026-41096 DNS Exploit with LOLBAS Execution*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1216 | System Script Proxy Execution | https://attack.mitre.org/techniques/T1216/001 |
| T1590.002 | DNS | https://attack.mitre.org/techniques/T1590/002 |


#### Description

I highly Recommend to Patch asap. If you are not able to, this rule detects potential exploitation attempts related to CVE-2026-41096 on Windows systems. It identifies devices vulnerable to CVE-2026-41096 and then looks for suspicious process activity where 'svchost.exe' with 'Dnscache' in its command line executes a Living Off The Land Binaries and Scripts (LOLBAS) tool. The detection is further correlated with network events occurring within two minutes of the suspicious process execution, suggesting an exploit leading to network communication.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- 

## Defender XDR
```KQL
// Dynamically load the LOLBAS list via externaldata
let LOLBins = 
    externaldata(Filename:string, Description:string, Author:string, Date:string, Command:string, CommandDescription:string, CommandUsecase:string, CommandCategory:string, CommandPrivileges:string, MitreAttackTechnique:string, OperatingSystem:string, Paths:string, Detections:string, Resources:string, Acknowledgements:string, URL:string, Tags:string)
    [h"https://lolbas-project.github.io/api/lolbas.csv"] 
    with (format="csv", ignoreFirstRecord=true)
    | summarize by Filename; // Extract unique filenames
// Identify systems vulnerable to the specific CVE
let VulnerableSystems =
    DeviceTvmSoftwareVulnerabilities
    | where CveId == "CVE-2026-41096"
    | summarize by DeviceId;
// Filter for suspicious process activity related to the DNS Client context
let SuspiciousProcesses =
    DeviceProcessEvents
    | where TimeGenerated > ago(30d)
    | where InitiatingProcessFileName =~ "svchost.exe"
    | where InitiatingProcessCommandLine has "Dnscache"
    // Match against the dynamic LOLBAS list
    | where FileName in~ (LOLBins)
    | project
        ProcessTime = TimeGenerated,
        DeviceId,
        DeviceName,
        FileName,
        ProcessCommandLine,
        InitiatingProcessCommandLine;
// Collect network events for correlation
let FollowupNetwork =
    DeviceNetworkEvents
    | where TimeGenerated > ago(30d)
    | project
        NetworkTime = TimeGenerated,
        DeviceId,
        RemoteIP,
        RemotePort;
// Join the datasets to correlate vulnerability, suspicious execution, and network activity
VulnerableSystems
| join kind=inner (SuspiciousProcesses) on DeviceId
| join kind=inner (FollowupNetwork) on DeviceId
// Filter for network events occurring within 2 minutes of the process execution
| where NetworkTime between (ProcessTime .. (ProcessTime + 2m))
| project
    TimeGenerated = ProcessTime,
    DeviceName,
    FileName,
    ProcessCommandLine,
    RemoteIP,
    RemotePort
| extend
    HostCustomEntity = DeviceName,
    IPCustomEntity = RemoteIP,
    Severity = "Medium",
    DetectionType = "CVE-2026-41096 DNS Exploit - Client (LOLBAS Execution)"

```

Explanation

This query is designed to detect potential exploitation attempts related to a specific security vulnerability, CVE-2026-41096, on Windows systems. Here's a simple breakdown of what the query does:

  1. Load LOLBAS List: It dynamically loads a list of known Living Off The Land Binaries and Scripts (LOLBAS), which are legitimate tools that can be used maliciously.

  2. Identify Vulnerable Systems: It identifies devices that are vulnerable to the CVE-2026-41096 vulnerability.

  3. Detect Suspicious Processes: It looks for suspicious process activities where the 'svchost.exe' process, specifically with 'Dnscache' in its command line, executes a tool from the LOLBAS list. This is indicative of potential malicious activity.

  4. Collect Network Events: It gathers network events from the same devices to see if there is any network communication occurring shortly after the suspicious process execution.

  5. Correlate Data: It correlates the data from the vulnerable systems, suspicious processes, and network events to identify if there is a pattern suggesting an exploit attempt. Specifically, it looks for network events that occur within two minutes of the suspicious process execution.

  6. Output Results: The query outputs details such as the time of the event, device name, file name, command line used, remote IP, and port. It also categorizes the severity as "Medium" and labels the detection type as "CVE-2026-41096 DNS Exploit - Client (LOLBAS Execution)."

Overall, this query helps security teams quickly identify and respond to potential exploitation attempts related to a known vulnerability by correlating process and network activities on vulnerable systems.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: May 14, 2026

Tables

DeviceTvmSoftwareVulnerabilitiesDeviceProcessEventsDeviceNetworkEvents

Keywords

DevicesDNSProcessNetworkExploitVulnerabilitiesExecutionSystemsCommunication

Operators

externaldatasummarizewherehasin~projectjoinbetweenextend

Actions