With Fridays release of additional Shadowbroker tools, a lot of attention was spent on exploits with names like Eternalblue, which exploited only recently patched vulnerabilities. Another item of interesthowever, is the command and control channel used to communicate with systems post exploitation.
One covert channel, double pulsar, is designed to particular for systems that are vulnerable to Eternalblue.The covert channel uses SMB features that have so far been not used, in particular, the Trans2 feature. Trans2 is short for Transaction 2 Subcommand Extension, and its use can be seen as part of the exploit packet capture I posted in our earlier diary.
In packet 13 of the pcap, the system running the exploit sends a trans2 SESSION_SETUP request to the victim. This happens before the actual exploit is sent. The intent of this request is to check if the system is already compromised. Infected or not, the system will respond with a Not Implemented message. But as part of the message, a Multiplex ID is returned that is 65 (0x41) for normal systemsand 81 (0x51) for infected systems. If a system is infected, then SMB can be used as a covert channel to exfiltrate data or launch remote commands.
Countercept released a python script that can be used to scan systems for the presence of this backdoor. Seehttps://github.com/countercept/doublepulsar-detection-script .
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.