DETECTION OVERVIEW

DoublePulsar RDP Implant

Risk Factors

The DoublePulsar Windows kernel-mode implant is a command-and-control (C&C) agent that can enable an unauthenticated attacker to run arbitrary shellcode with kernel privileges. This agent is uncommon because it requires sophisticated exploits such as EternalBlue to install the implant.

Kill Chain

Command-and-Control

Risk Score

Attack Background

The DoublePulsar implant is installed in the kernel memory of a victim and then waits for further commands. The attacker can leverage normal Remote Desktop Protocol (RDP) transactions to send a customized request to the victim device with the data signature (called “magic bytes”) “44 37 28 19” and a command. When the victim device sends a 288-byte response to a ping command, the attacker can then send a request with another command, such as the exec command. The exec command tells the implant to run malicious shellcode.

Mitigation Options

Disable RDP on devices unless required

Only allow incoming external RDP connections from trusted devices

Implement network segmentation, security zones, and firewall policies that limit how devices can communicate

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases