name: Netlogon Service Anomalous Restart or RPC from Non-DC Source Analytic
signatureid: WEL-SYS01-ERI
category: 'Initial Access'
threatname: 'Exploit Public-Facing Application'
functionality: 'Microsoft Windows'
description: |
Detects the Netlogon service (NETLOGON) unexpectedly stopping or restarting — a key
indicator of CVE-2026-41089 post-crash recovery — using event rarity on the source account
to surface non-standard service control activity. Netlogon restarts are normal after planned
reboots but rare in steady-state operation. Combined with the pre-auth nature of CVE-2026-41089,
any unexpected Netlogon stop/start cycle should be investigated for preceding CLDAP anomalies.
Also covers Service Control Manager events recording Netlogon termination with unexpected exit
codes, which can indicate LSASS-driven shutdown cascade following stack corruption.
reference:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
- https://www.helpnetsecurity.com/2026/06/01/windows-netlogon-rce-exploited-cve-2026-41089/
- https://www.thecybersignal.com/windows-netlogon-cve-2026-41089-active-exploitation-domain-controllers-2026/
labels:
- attack.initial_access
- attack.t1190
- attack.impact
- attack.t1498
- CVE-2026-41089
- Netlogon
- Service Crash
logsource:
product: Windows
service: System
detection:
selection_scm_netlogon_stop:
baseeventid:
- 7034 # Service crashed unexpectedly
- 7031 # Service terminated unexpectedly
- 7036 # Service entered stopped state
customstring1|contains:
- 'Netlogon'
selection_lsass_cascade:
baseeventid: 7034
customstring1|contains:
- 'lsass'
- 'Local Security Authority'
condition: selection_scm_netlogon_stop or selection_lsass_cascade
analytical_type:
event_rarity:
feature:
- devicehostname
sigma: 0.60
technique: 'Rare Activity on Resource Group'
baseline: '7 days'
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: 'devicehostname'
level2_attribute: 'accountname'
level2_metadata_attributes:TECHNICAL DETAILS
Post-exploitation kill chain for CVE-2026-41089:
1. Attacker sends crafted CLDAP UDP/389 packet with 130-char username
2. BuildSamLogonResponse overflows 528-byte stack buffer in LSASS
3. LSASS crashes with STATUS_STACK_BUFFER_OVERRUN (0xC0000409)
4. SCM records Event ID 7034 for Netlogon / 7031 for unexpected termination
5. Windows initiates emergency shutdown (Event ID 6008 on reboot)
6. DC reboots; Netlogon and LSASS restart on next boot (Event ID 7036 Stopped → Running)
Rarity context: Netlogon stopping unexpectedly on a DC should be extremely rare.
DCsync, credential dumping, and KRBTGT abuse are the expected post-RCE follow-ons
if the attacker achieves full code execution rather than just DoS
Policy building walkthrough can be found in this previous post: