DETECTION OVERVIEW

EternalBlue Exploit

Risk Factors

EternalBlue is a fairly sophisticated exploit that is incorporated into common hacking toolkits. Microsoft issued a patch for EternalBlue. However, if an attacker can successfully access and then exploit an unpatched server with SMBv1 enabled, they can quickly spread malware to other unpatched servers across a network. Malware such as ransomware or cryptocurrency miners can have damaging effects on network assets.

The system might change the risk score for this detection.

Kill Chain

Exploitation

Risk Score

Attack Background

Server Message Block 1.0 (SMBv1) is a version of the file sharing and transaction protocol that contains a memory calculation vulnerability, which is the target of the EternalBlue exploit. First, the attacker sends multiple requests, or messages, to a file server over SMBv1. Each SMBv1 message is specially designed to manipulate the file server memory in a way that eventually causes a buffer overflow, which enables the attacker to deliver a malicious payload, such as ransomware, to the kernel of the server. Several well-known security attacks, such as the WannaCry ransomware, are associated with the EternalBlue exploit.

Mitigation Options

Apply the Microsoft Security bulletin MS17-010 security update

Enable host-based firewalls

Segment the network with firewall and routing rules

Disable SMBv1

MITRE ATT&CK ID

T1210

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases