name: LSASS Crash on Domain Controller Potentially Related to Netlogon Analytic
signatureid: WEL-APP01-RUN
category: 'Impact'
threatname: 'Network Denial of Service'
functionality: 'Microsoft Windows'
description: |
Detects LSASS application crashes on Windows domain controllers, specifically those
referencing netlogon.dll as the faulting module. This is the primary host-side indicator
of CVE-2026-41089 exploitation — a single malformed CLDAP UDP packet to port 389 causes
a stack buffer overflow in BuildSamLogonResponse, corrupting the LSASS stack and triggering
a fatal exception (0xC0000409 STATUS_STACK_BUFFER_OVERRUN). The domain controller reboots
approximately 60 seconds after the crash. Repeated LSASS crashes in a short timeframe from
the same host without a corresponding patch event strongly suggest active exploitation or
automated scanning. Even a single occurrence on a DC warrants investigation given the
pre-authentication, zero-interaction nature of the vulnerability.
reference:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
- https://aretiq.ai/research/vul260513-cve-2026-41089-microsoft-windows-netlogon-buildsamlogonresponse-stack-based-buffer-overflow-rce/
- https://github.com/0xABCD01/CVE-2026-41089
labels:
- attack.initial_access
- attack.t1190
- attack.impact
- attack.t1498
- CVE-2026-41089
- Netlogon
- LSASS
- RCE
logsource:
product: Windows
service: Application
detection:
selection_lsass_crash:
baseeventid: 1000 # Application Error
customstring1|contains: # Faulting application name
- 'lsass.exe'
selection_netlogon_module:
customstring3|contains: # Faulting module name
- 'netlogon.dll'
selection_stack_overflow_exception:
customstring5|contains: # Exception code
- 'c0000409' # STATUS_STACK_BUFFER_OVERRUN
- 'c0000005' # ACCESS_VIOLATION (secondary indicator)
condition: selection_lsass_crash and selection_netlogon_module
criticality: Critical
saveasthreat: false
violation_summary:
grouping_attribute: 'devicehostname'
level2_attribute: 'accountname'
level2_metadata_attributes:TECHNICAL DETAILS
Event ID 1000 (Application Error) in the Windows Application log will record:
Faulting application name: lsass.exe
Faulting module name: netlogon.dll
Exception code: 0xc0000409 (STATUS_STACK_BUFFER_OVERRUN — GS cookie violation)
The domain controller will initiate an automatic reboot ~60 seconds post-crash.
Event ID 6008 (Unexpected Shutdown) will appear on the subsequent boot.
False positives: legitimate LSASS crashes from buggy third-party security products
loading into LSASS (LSA plugins). Validate by checking for anomalous UDP/389 traffic
to the DC in the 5 minutes preceding the crash timestamp.
Policy building walkthrough can be found in this previous post: