App Review EternalBlue and DoublePulsar application whitelisting test

[Andy Ful]

I found one test with EternalBlue & DoublePulsar when not using meterpreter payload. Autors used the calc.exe as a payload. Here is the interesting fragment:

Step 3: INSTALLATION – Using DoublePulsar to launch an additional Backdoor
The DoublePulsar backdoor allows to inject and run any DLL (Dynamic Link Library), that way compromising the computer and using it for whatever purpose. I was able to load a DLL into LSASS.EXE spawning calc.exe as a POC. But this off course could just as well have been something malicious. (Meterpreter, Empire, Beacon).

https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/

If we look at the second image from this article, we can see the Task Manager on the target machine after successfully exploited system. The important thing is that there is no sign of rundll.exe!
So indeed, it is possible to install EternalBlue & DoublePulsar without using rundll.exe !

 

[danb]

I found one test with EternalBlue & DoublePulsar when not using meterpreter payload. Autors used the calc.exe as a payload. Here is the interesting fragment:

Step 3: INSTALLATION – Using DoublePulsar to launch an additional Backdoor
The DoublePulsar backdoor allows to inject and run any DLL (Dynamic Link Library), that way compromising the computer and using it for whatever purpose. I was able to load a DLL into LSASS.EXE spawning calc.exe as a POC. But this off course could just as well have been something malicious. (Meterpreter, Empire, Beacon).

https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/

If we look at the second image from this article, we can see the Task Manager on the target machine after successfully exploited system. The important thing is that there is no sign of rundll.exe!
So indeed, it is possible to install EternalBlue & DoublePulsar without using rundll.exe !

The genie is out of the bottle. Thank you for finding that.

 

[Andy Ful]

The genie is out of the bottle. Thank you for finding that.

You are welcome. This video does not prove much about your test, because it uses Fuzzbunch instead of Metasploit. But, it strongly suggest that the real malware, will not use the rundll.exe when exploiting the system with EternalBlue & DoublePulsar.

 

[Deleted member 178]

Our concern as home users is to block the file conveying DP in the first place, normally any softs should do it , especially anti-exe/SRP (the step 1 in my chain onthe previous post)
Now if the network was already compromised, the chance to be owned by it greatly increase...

In theory if you have a security product on one machine, you should have it on the others machines of your network. (at least it is what i do , i have AG on each machine i possess).

On Wanacry attack , the network was compromised by one machine running EB-DP , we don't know how it arrives on this machine (mail? usb? ). im 100% sure that an human error was made.

 

[Deleted member 178]

Step 3: INSTALLATION – Using DoublePulsar to launch an additional Backdoor
The DoublePulsar backdoor allows to inject and run any DLL (Dynamic Link Library), that way compromising the computer and using it for whatever purpose. I was able to load a DLL into LSASS.EXE spawning calc.exe as a POC. But this off course could just as well have been something malicious. (Meterpreter, Empire, Beacon).

So i was right from the start, DP is about lsass.exe being exploited, nothing to do with rundll32.exe being used, so nothing can prevent it to be injected by DP. system is owned...
Because anti-exe/SRP aren't designed to stop this kind of injection.

 

[danb]

So i was right from the start, DP is about lsass.exe being exploited, nothing to do with rundll32.exe being used, so nothing can prevent it to be injected by DP. system is owned...
Because anti-exe/SRP aren't designed to stop this kind of injection.

Absolutely incorrect. I have no idea why you guys keep discussing "rundll32 being used"... but I will not even go into that.

Basically, when you see rundll32.exe spawn as a child process of lsass.exe, that means:

1. DP was successful
2. A session was created
3. The computer is most likely infecting other computers on the network
4. The following DP hacker tools are available for use:

Core Commands

=============



Command Description

------------------

? Help menu

background Backgrounds the current session

bgkill Kills a background meterpreter script

bglist Lists running background scripts

bgrun Executes a meterpreter script as a background thread

channel Displays information or control active channels

close Closes a channel

disable_unicod e_encoding Disables encoding of unicode strings

enable_unicode _encoding Enables encoding of unicode strings

exit Terminate the meterpreter session

get_timeouts Get the current session timeout values

help Help menu

info Displays information about a Post module

irb Drop into irb scripting mode

load Load one or more meterpreter extensions

machine_id Get the MSF ID of the machine attached to the session

migrate Migrate the server to another process

quit Terminate the meterpreter session

read Reads data from a channel

resource Run the commands stored in a file

run Executes a meterpreter script or Post module

sessions Quickly switch to another session

set_timeouts Set the current session timeout values

sleep Force Meterpreter to go quiet, then re-establish session.

transport Change the current transport mechanism

use Deprecated alias for 'load'

uuid Get the UUID for the current session

write Writes data to a channel





Stdapi: File system Commands

============================



Command Description

------------------

cat Read the contents of a file to the screen

cd Change directory

checksum Retrieve the checksum of a file

cp Copy source to destination

dir List files (alias for ls)

download Download a file or directory

edit Edit a file

getlwd Print local working directory

getwd Print working directory

lcd Change local working directory

lpwd Print local working directory

ls List files

mkdir Make directory

mv Move source to destination

pwd Print working directory

rm Delete the specified file

rmdir Remove directory

search Search for files

show_mount List all mount points/logical drives

upload Upload a file or directory





Stdapi: Networking Commands

===========================



Command Description

------------------

arp Display the host ARP cache

getproxy Display the current proxy configuration

ifconfig Display interfaces

ipconfig Display interfaces

netstat Display the network connections

portfwd Forward a local port to a remote service

resolve Resolve a set of host names on the target

route View and modify the routing table





Stdapi: System Commands

=======================



Command Description

------------------

clearev Clear the event log

drop_token Relinquishes any active impersonation token.

execute Execute a command

getenv Get one or more environment variable values

getpid Get the current process identifier

getprivs Attempt to enable all privileges available to the current process

getsid Get the SID of the user that the server is running as

getuid Get the user that the server is running as

kill Terminate a process

localtime Displays the target system's local date and time

pgrep Filter processes by name

pkill Terminate processes by name

ps List running processes

reboot Reboots the remote computer

reg Modify and interact with the remote registry

rev2self Calls RevertToSelf() on the remote machine

shell Drop into a system command shell

shutdown Shuts down the remote computer

steal_token Attempts to steal an impersonation token from the target process

suspend Suspends or resumes a list of processes

sysinfo Gets information about the remote system, such as OS





Stdapi: User interface Commands

===============================



Command Description

------------------

enumdesktops List all accessible desktops and window stations

getdesktop Get the current meterpreter desktop

idletime Returns the number of seconds the remote user has been idle

keyscan_dump Dump the keystroke buffer

keyscan_start Start capturing keystrokes

keyscan_stop Stop capturing keystrokes

screenshot Grab a screenshot of the interactive desktop

setdesktop Change the meterpreters current desktop

uictl Control some of the user interface components





Stdapi: Webcam Commands

=======================



Command Description

------------------

record_mic Record audio from the default microphone for X seconds

webcam_chat Start a video chat

webcam_list List webcams

webcam_snap Take a snapshot from the specified webcam

webcam_stream Play a video stream from the specified webcam





Priv: Elevate Commands

======================



Command Description

------------------

getsystem Attempt to elevate your privilege to that of local system.





Priv: Password database Commands

================================



Command Description

-----------------

Hashdump Dumps the contents of the SAM database





Priv: Timestomp Commands

========================



Command Description

------------------

timestomp Manipulate file MACE attributes



Now, security software that allows DP to execute, can block SOME of these tools... but some of these tools definitely work, and I highly doubt that any security software would be able to block all of them. For example, the download tool has worked on everything that I have tried it on... well, unless DP was blocked in the first place, then none of these tools work.

It is better to just block DP from running in the first place, because then these hacker tools are not available. These are just the tools that the NSA (or whoever) built into DP... there is a high probability we will be seeing enhanced versions of DP.

I think part of the problem is that everyone is so focused on ransomware, and they forget that there are other types of malware... like DP.

 

[danb]

Our concern as home users is to block the file conveying DP in the first place, normally any softs should do it , especially anti-exe/SRP (the step 1 in my chain onthe previous post)
Now if the network was already compromised, the chance to be owned by it greatly increase...

In theory if you have a security product on one machine, you should have it on the others machines of your network. (at least it is what i do , i have AG on each machine i possess).

On Wanacry attack , the network was compromised by one machine running EB-DP , we don't know how it arrives on this machine (mail? usb? ). im 100% sure that an human error was made.

We agree finally... security software should have the ability to block DP... if it does not, they might want to look into fixing it.

For your second point... yeah, a lot of companies tend to run the same security software, but just as an example... I do a lot of work for real estate offices, and typically only do work for around 5-10% of the agents per office, since they are independent agents and have their own computer person.

So far, this is the best article that I have seen that describes the initial attack vector... but I have a feeling that we will be learning more in the days and weeks to come.

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

 

[_CyberGhosT_]

The genie is out of the bottle. Thank you for finding that.

calc.exe is not new to being exploited it's one of the exe's I blacklist using Process Lasso and block from internet access.
If I need a calculator I have one on my desk, or on my LG phone

 

[Deleted member 178]

Absolutely incorrect. I have no idea why you guys keep discussing "rundll32 being used"... but I will not even go into that.

Basically, when you see rundll32.exe spawn as a child process of lsass.exe, that means:

1. DP was successful
2. A session was created
3. The computer is most likely infecting other computers on the network
4. The following DP hacker tools are available for use:

LOL Dan, it is EXACTLY what I said since the start !!! i don't want waste my time putting screenshot....

lsass.exe is the target and may or not use rundll32.exe to do other stuff but the system is still compromised , do we agree?

 

[Deleted member 178]

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

"Public open SMB port" come on.... what are firewalls made for... i am shocked...

 

[danb]

LOL Dan, it is EXACTLY what I said since the start !!! i don't want waste my time putting screenshot....

lsass.exe is the target and may or not use rundll32.exe to do other stuff but the system is still compromised , do we agree?

If you understand that when ERP and VS blocks DP, these tools are not available, then yes, we agree.

If the session is created, then these tools are available. As I was saying, depending on the security software that is on the system, some of these tools work, and some do not. Download works, and to me, that is enough to demonstrate the importance of blocking DP.

 

[danb]

"Public open SMB port" come on.... what are firewalls made for... i am shocked...

Hehehe, I think there is even more to it than that . This thing spread like wildfire. I think we will find out more about the attack vector soon.

I have a hunch that routers were bypassed / hacked... but that is pure speculation . Something happened... that is for sure.

I think that is the reason there is so little information about the attack.

 

[danb]

Just to clarify... when you see rundll32.exe temporarily spawn as a child process of lsass in the VS test, this is because the process is suspended while the user or VS decides whether to allow it or not. Note that the memory utilization remains at 88kb. ERP was on lockdown, so it did not have to suspend the process... it just automatically blocked it (there was no chance of the user allowing the process since it was on lockdown, so it just killed it immediately).

The end result... DP was completely blocked in the ERP and VS tests.

 

[Deleted member 178]

If you understand that when ERP and VS blocks DP, these tools are not available, then yes, we agree. .

yes it is what i said from the beginning. so we agree
my point is DP is the injection of lsass.exe first , and this one is not blocked but the rest yes.
So you are right the infection is stopped, but the system is still compromised. that was my point.

The end result... DP was completely blocked in the ERP and VS tests.

not completely, partially , lsass.exe injection is part of the attack and not blocked. so partially.
i think it is more a difference between how each of us define "block"

If the session is created, then these tools are available. As I was saying, depending on the security software that is on the system, some of these tools work, and some do not. Download works, and to me, that is enough to demonstrate the importance of blocking DP

and what i said , if those tool can't run because various security solutions are in place, you are still protected from them (but the breach must be fixed obviously)

 

[danb]

OMG, we keep going in circles . Let's see where the breakdown is... please put an Agree or Disagree at the end of each of the following statements.

1. The whole goal of the EB exploit is to install DP. Agree or Disagree?
2. If DP was blocked from being installed, this demonstrates that EB is unable to successfully exploit the system, so the exploit failed as well and the system is not compromised. Agree or Disagree?
3. If DP is not installed on the system, then the hacker tools listed above are not available for use. Agree or Disagree?
4. If DP is installed on the system, then a lot of the hacker tools are available for use. Agree or Disagree?
5. The hacker tools are available for use in the AG test. Agree or Disagree?
6. The hacker tools are NOT available for use in the VS test. Agree or Disagree?

You said " if those tool can't run because various security solutions are in place, you are still protected from them"... this is true for some tools, but there are a lot of tools that do work that can do a lot of damage. Wouldn't it just be better to just stop DP from running at all, that way you are 100% certain that none of these tools will work?

Besides, it would only take around 30-60 minutes for a decent hacker to add an "encrypt" tool (among others) to DP. Just block DP completely, that way you do not have to take a chance.

I mean really... who needs to drop and execute another executable payload when you have all of these malware tools at your disposal... and this is just the generic DP... just wait until it is modded .

 

[_CyberGhosT_]

OMG, we keep going in circles . Let's see where the breakdown is... please put an Agree or Disagree at the end of each of the following statements.

1. The whole goal of the EB exploit is to install DP. Agree or Disagree?
2. If DP was blocked from being installed, this demonstrates that EB is unable to successfully exploit the system, so the exploit failed as well and the system is not compromised. Agree or Disagree?
3. If DP is not installed on the system, then the hacker tools listed above are not available for use. Agree or Disagree?
4. If DP is installed on the system, then a lot of the hacker tools are available for use. Agree or Disagree?
5. The hacker tools are available for use in the AG test. Agree or Disagree?
6. The hacker tools are NOT available for use in the VS test. Agree or Disagree?

You said " if those tool can't run because various security solutions are in place, you are still protected from them"... this is true for some tools, but there are a lot of tools that do work that can do a lot of damage. Wouldn't it just be better to just stop DP from running at all, that way you are 100% certain that none of these tools will work?

Besides, it would only take around 30-60 minutes for a decent hacker to add an "encrypt" tool (among others) to DP. Just block DP completely, that way you do not have to take a chance.

I mean really... who needs to drop and execute an executable payload when you have all of these malware tools at your disposal... and this is just the generic DP... just wait until it is modded .

I have watched you make perfect sense in multiple threads and yet it still escapes him.
This is bordering on madness, you do know you can have a discussion with @Jack and he will make him stop this stupidity.
It's amazingly confounding Dan wow.
As a staff member here he represents MalwareTips and going after a Developer to this extent "should" be frowned upon. Jack should visit Wilders too so he can see the full extent of this issue.

 

[Deleted member 178]

OMG, we keep going in circles . Let's see where the breakdown is... please put an Agree or Disagree at the end of each of the following statements.

hahahaha ok let see


1. The whole goal of the EB exploit is to install DP. Agree or Disagree? AGREE
2. If DP was blocked from being installed, this demonstrates that EB is unable to successfully exploit the system, so the exploit failed as well and the system is not compromised. Agree or Disagree? DISAGREE
EB is only the network abuse , it is before DP, he is the vector of DP. (step 2 on your article : https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/)
3. If DP is not installed on the system, then the hacker tools listed above are not available for use. Agree or Disagree? AGREE
4. If DP is installed on the system, then a lot of the hacker tools are available for use. Agree or Disagree? AGREE
5. The hacker tools are available for use in the AG test. Agree or Disagree? BOTH : if an exe (say wanacry) is uploaded, AG (and any anti-exe) will block it so DISAGREE , if you meant metasploit tool (like the shell ) we AGREE
6. The hacker tools are NOT available for use in the VS test. Agree or Disagree? AGREE, VS block the shell creation ahead.

You said " if those tool can't run because various security solutions are in place, you are still protected from them"... this is true for some tools, but there are a lot of tools that do work that can do a lot of damage. Wouldn't it just be better to just stop DP from running at all, that way you are 100% certain that none of these tools will work?

That is all about what are those tools and does the security product is made to stop those tools; that is the big difference. AG do what it is supposed to do , so do VS.

Besides, it would only take around 30-60 minutes for a decent hacker to add an "encrypt" tool (among others) to DP. Just block DP completely, that way you do not have to take a chance.

Indeed , AG doesn't care if encrypted or not, if it is an exe , it is supposed to be blocked, if it the tool try to read/write the memory of another process, it is supposed to be blocked too (based on its policy ).

I mean really... who needs to drop and execute an executable payload when you have all of these malware tools at your disposal... and this is just the generic DP... just wait until it is modded .

what is wanacry? an exe right?
That is why AG is just a tool protecting against a precise kind of vector (the most common one), don't ask it to do what it wasn't designed to do.
Also since it is a SRP, it doesn't parse command line, like VS or ERP. AG isn't anti-exe. AG isn't a standalone 360° protection tool.
You need to understand what AG is. To simply describe AG, it is a boosted an simpler version of Applocker.

 

[Deleted member 178]

I have watched you make perfect sense in multiple threads and yet it still escapes him.
This is bordering on madness, you do know you can have a discussion with @Jack and he will make him stop this stupidity.
It's amazingly confounding Dan wow.
As a staff member here he represents MalwareTips and going after a Developer to this extent "should" be frowned upon. Jack should visit Wilders too so he can see the full extent of this issue.

you have no idea, what we talk about, Dan and me have a long tumultuous relationship , he knows that i don't go after him, so stop assuming idiocy...i help him quite often in fact , he can testify it.
We just like to oppose our arguments and point of view. if you don't like it, don't read. we don't put a gun on your head and force you to follow this debate...
Should i shut my mouth because he is a dev or do he has to shut is mouth because im a mod ? hell no.

 

[_CyberGhosT_]

you have no idea, what we talk about, Dan and me have a long tumultuous relationship , he knows that i don't go after him, so stop assuming idiocy...i help him quite often in fact , he can testify it.
We just like to oppose our arguments and point of view. if you don't like it, don't read. we don't put a gun on your head and force you to follow this debate...
Should i shut my mouth because he is a dev or do he has to shut is mouth because im a mod ? hell no.

You really don't get how tired of this he is do you ? lol, do your thing then genius

 

[Deleted member 178]

And you shouldn't comment useless stuff, and rather be more useful than just being a watchdog by instead giving your opinion and point of view on the attack we debate...