KQL Search

Query Details

HomeAI ToolsDevice Query

Potential CVE 2026 41089 Exploit Attempt On Domain Controllers

Query

# *Potential CVE-2026-41089 Exploit Attempt on Domain Controllers*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021 | Remote Services | https://attack.mitre.org/techniques/T1021 |


#### Description

This rule detects potential exploitation attempts targeting CVE-2026-41089 on Domain Controllers. It identifies inbound network connections to common RPC/SMB ports (135, 445, and dynamic RPC ports 49152-65535) on devices identified as Domain Controllers. The detection specifically looks for these connections originating from 'svchost.exe' with command lines containing 'netlogon' or 'netsvcs', and flags if the target Domain Controller is known to be vulnerable to CVE-2026-41089. A high severity is assigned if the connection count is 10 or more, or if the target DC is vulnerable.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://www.penligent.ai/hackinglabs/cve-2026-41089/


## Defender XDR
```KQL
// CVE-2026-41089 Exploit Detection
let ExcludedRemoteIPs = dynamic(["0.0.0.0"]); //Define excluded IPs
let DomainControllers = 
    ExposureGraphNodes
    | where set_has_element(Categories, "device")
    | extend DeviceRoles = parse_json(NodeProperties.rawData.deviceRole)
    | where DeviceRoles contains "DomainController"
    | project DeviceName = tolower(NodeName);
let VulnerableDCs =
    DeviceTvmSoftwareVulnerabilities
    | where CveId == "CVE-2026-41089"
    | project DeviceName = tolower(DeviceName);
DeviceNetworkEvents
| where Timestamp > ago(7d) 
| where ActionType == "InboundConnectionAccepted"
| where LocalPort in (135, 445, 49672) 
    or (LocalPort >= 49152 and LocalPort <= 65535)
| where RemoteIP !in (ExcludedRemoteIPs)
| extend LowerDeviceName = tolower(DeviceName)
| where LowerDeviceName in (DomainControllers)
| extend IsVulnerable = iff(LowerDeviceName in (VulnerableDCs), true, false)
| where InitiatingProcessFileName =~ "svchost.exe"
| where InitiatingProcessCommandLine has_any ("netlogon", "netsvcs")
| summarize 
    ConnectionCount = count(),
    TargetPorts = make_set(LocalPort),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, RemoteIP, IsVulnerable
| where ConnectionCount >= 3 
| extend 
    IsExternal = not(ipv4_is_in_range(RemoteIP, "10.0.0.0/8")),
    Severity = iff(ConnectionCount >= 10 or IsVulnerable == true, "High", "Medium")
| project-reorder FirstSeen, LastSeen, DeviceName, IsVulnerable, Severity, ConnectionCount, RemoteIP, TargetPorts, IsExternal
| sort by ConnectionCount desc

```

Explanation

This query is designed to detect potential exploit attempts targeting a specific vulnerability, CVE-2026-41089, on Domain Controllers within a network. Here's a simplified breakdown of what the query does:

  1. Identify Domain Controllers: It first identifies devices in the network that are classified as Domain Controllers.

  2. Check for Vulnerability: It checks if these Domain Controllers are vulnerable to CVE-2026-41089.

  3. Monitor Network Connections: The query monitors inbound network connections to specific ports (135, 445, and a range of dynamic RPC ports) on these Domain Controllers.

  4. Filter by Process and Command Line: It specifically looks for connections initiated by the process 'svchost.exe' with command lines containing 'netlogon' or 'netsvcs'.

  5. Count Connections: It counts the number of such connections and flags them if the count is 3 or more.

  6. Assess Severity: The severity of the alert is marked as "High" if there are 10 or more connections or if the Domain Controller is vulnerable. Otherwise, it's marked as "Medium".

  7. Exclude Certain IPs: Connections from certain IPs (e.g., "0.0.0.0") are excluded from consideration.

  8. Output Details: The query outputs details such as the first and last time the connection was seen, the device name, whether the device is vulnerable, the severity level, the number of connections, the remote IP, the target ports, and whether the connection is external.

Overall, this query helps in identifying and prioritizing potential security threats related to a known vulnerability on critical network infrastructure.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 2, 2026

Tables

ExposureGraphNodesDeviceTvmSoftwareVulnerabilitiesDeviceNetworkEvents

Keywords

CVEDomainControllersDevicesRPCSMBNetworkConnectionsSvchostNetlogonNetsvcsVulnerabilitiesDeviceNameRemoteIPTimestampActionTypeLocalPortConnectionCountSeverity

Operators

letdynamicset_has_elementextendparse_jsoncontainsprojecttolowerwhereinor!iniff=~has_anysummarizecountmake_setminmaxby>=notipv4_is_in_rangeproject-reordersort by

Actions