Defense in depth: DoublePulsar

Unless you’ve been living under a rock you are probably familiar with the recent Shadow Brokers data dump of the Equation Group tools. In that release a precision SMB backdoor was included called Double Pulsar. This backdoor is implemented by exploiting the recently patched Windows vulnerability: CVE-2017-0143.

For detection, we are going to first focus on the backdoor portion of the implant, hunting for traces left behind on the network. JASK customers have access to 90 days of full network meta-data to reach back in time and historically analyze or hunt for the first entry point. This allows our customers to quickly determine if they were one of the unlucky ones to be compromised by the newly leaked exploit and implant.

So let’s get straight to it. Double Pulsar is an SMB injected backdoor and that means it is time to focus on the SMB protocol. First of all you should not have SMB open to the public internet! Why people still do this is beyond us… That being said, SMB is a great protocol for threat hunting, from the SMB attack used in the Sony hack in 2014, to some of the older worm’s. It’s one of those protocols that just seems ripe for behavioral based detection. Baselining the number of requests, who’s making the requests, and what SMB commands are being used seems like a good place for anomaly detection and searching for suspicious behaviors.

To kick things off, let’s replay the attack through a JASK sensor and look at the SMB commands field in Trident Investigation:

Based on SMB commands, there are three fields that stand out for analysis:

• Commands.name
• Commands.status
• Command.sub_command

Feeding a DoublePulsar Ping to a clean, non-exploited, non-infected host results with SMB meta-data:

• Commands.name="TRANSACTION2"
• Commands.status="NOT_IMPLEMENTED"
• Command.sub_command="SESSION_SETUP"

As seen below in notebooks:

In a Wireshark analysis this clean value shows up a Multiplex_ID of 0x41

Feeding a Double Pulsar ping to a dirty, exploited infected host results with SMB meta-data:

• Commands.name="TRANSACTION2"
• Commands.status="NOT_IMPLEMENTED"
• Command.sub_command="null"

As seen below:

It seems the command.sub_command ends up being null in an exploited machine. In Wireshark this infected host results with a Multiplex_ID of 0x65.

One more interesting piece of data is that a first time exploited host ends up with a Multiplex ID of 0x52.

If you follow the exploitation in sequence you’ll see that during the exploitation, an initial Double Pulsar Ping is sent to check if the host has already been compromised. (Showing the previously discussed 0x41 for a non-exploited host), meaning it’s good to run the exploit against.

Continuing our analysis, I notice that during the CVE-2017-0143 exploitation phase “Eternal Blue” we also see an SMB ECHO command. Checking for the frequency of SMB commands, we observed the SMB Echo command is a rarely used SMB command and perfect for a behavioral-based detection of rarely seen SMB Commands, or even a “first time seen” type of anomaly.

Expanding from that analysis , we realize there’s an entire set of SMB commands that have been deprecated or unused and should be understood as suspicious behavior within the SMB protocol. For that, some behind the scenes SMB protocol reading needs to be done:

https://msdn.microsoft.com/en-us/library/ee441741.aspx

https://msdn.microsoft.com/en-us/library/ee441616.aspx

After some light protocol review and research, we ultimately identified a set of SMB commands that are rarely used. By flagging these commands, we create anomalous “Signal” to be produced in Sumo Logic Cloud SIEM Enterprise anytime one of these rarely used SMB commands are seen from a particular host for the first time. The goal with that level of signal production is to further protect users and notify threat hunters of any Zero Day attacks with rarely used “NOT IMPLEMENTED” commands. We will feed these signals to our secondary supervised learning model to ultimately end up with high confidence alerts.

The Shadow Brokers leak of NSA tools is already being ported to exploit kits and frameworks to be used in malicious campaigns. These exploit kits enable malicious actors including those of a lesser technical level, to enhance their ability of targeting and compromising their targets; thus finding vulnerable targets with Shodan.io and other public mass scan tools. There is no hiding!

While the goal of this research is purely technical to ensure defensive measures, it’s a great example of the work we do often in conjunction with helping our customer create agile defense to emerging vulnerabilities and exploits. We are moving quickly to historically check if our customers were compromised as well as push new algorithms to our customers to further protect them from not only this Shadow Brokers release, but any further SMB attacks as the world continues to move forward as it always does.