ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

DoublePulsar RDP Scan

Risk Factors

The DoublePulsar Windows kernel-mode implant is a command-and-control (C&C) agent that can enable an unauthenticated attacker to run arbitrary shellcode with kernel privileges. This agent is uncommon because it requires sophisticated exploits such as EternalBlue to install the implant.

Kill Chain

Reconnaissance

Risk Score

37

Next in Reconnaissance: DoublePulsar SMB Scan

Attack Background

The DoublePulsar implant is installed in the kernel memory of a victim and then waits for further commands. The attacker can leverage normal RDP transactions to send a customized request to the victim device with the data signature (called “magic bytes”) “44 37 28 19” and a command. If the victim is compromised with DoublePulsar, it will respond to the ping command. The attacker then learns that the implant is installed on the compromised device and ready to receive commands.

Mitigation Options

Quarantine the client while checking for indicators of compromise

Implement network segmentation, security zones, and firewall policies that limit how devices can communicate

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right