Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The DoublePulsar Windows kernel-mode implant is a command-and-control (C&C) agent that can enable an unauthenticated attacker to run arbitrary shellcode with kernel privileges. This agent is uncommon because it requires sophisticated exploits such as EternalBlue to install the implant.
Kill Chain
Risk Score
37
The DoublePulsar implant is installed in the kernel memory of a victim and then waits for further commands. The attacker can leverage normal SMB transactions to send a customized request to the victim device with a method (TRANS2_Session_SETUP) and a command. If the victim is compromised with DoublePulsar, it will respond to the ping command. The attacker then learns that the implant is installed on the compromised device and ready to receive commands.
Quarantine the client while checking for indicators of compromise
Implement network segmentation, security zones, and firewall policies that limit how devices can communicate
