NF – EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication

The rule detects communication related to the installation of the DoublePulsar Backdoor, specifically looking for specific patterns and headers in the TCP payload. The DoublePulsar Backdoor is associated with the EternalBlue exploit and is a significant security threat that could lead to unauthorized access and control of vulnerable systems.

Categories:

ID Number

5013402

Signature

alert tcp any any -> $HOME_NET 445 (msg:"NF - EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,networkforensic.dk; reference:url,doc.emergingthreats.net; metadata:11122018; classtype:attempted-admin; sid:5013402; rev:1;)

MITRE ATT&CK Technique

-

Severity

High

Recommendations/Investigative actions

Authorize the Link. If the link was approved in terms of the IP addresses and ports - archive and baseline the rule. If not - check the connection and investigate the relevant IP address, check if the IP address is new on the network and if there are additional alerts related to this IP address.