DETECTION OVERVIEW

DoublePulsar SMB Implant Activity

Risk Factors

The DoublePulsar Windows kernel-mode implant is a command-and-control (C&C) agent that can enable an unauthenticated attacker to run arbitrary shellcode with kernel privileges. This agent is uncommon because it requires sophisticated exploits such as EternalBlue to install the implant.

Kill Chain

Command-and-Control

Risk Score

Attack Background

The DoublePulsar implant is installed in the kernel memory of a victim and then waits for further commands. The attacker can leverage normal SMB transactions to send a customized request to the victim device with a method (TRANS2_Session_SETUP) and a command. When the victim device responds to a ping command, for example, the attacker can then send a request with another command, such as the exec command. The exec command tells the implant to run malicious shellcode.

Mitigation Options

Disable SMB file sharing unless required

Implement network segmentation, security zones, and firewall policies that limit how devices can communicate

Upgrade devices to Windows 10, or apply the Microsoft Security bulletin MS17-010 security update to prevent SMB exploits from installing DoublePulsar

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases