Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Detecting SMB Covert Channel ("Double Pulsar") SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting SMB Covert Channel ("Double Pulsar")

With Friday's release of additional Shadowbroker tools, a lot of attention was spent on exploits with names like "Eternalblue", which exploited only recently patched vulnerabilities. Another item of interest however, is the command and control channel used to communicate with systems post exploitation.

One covert channel, "double pulsar", is designed to particular for systems that are vulnerable to Eternalblue. The covert channel uses SMB features that have so far been not used, in particular, the "Trans2" feature. Trans2 is short for "Transaction 2 Subcommand Extension", and its use can be seen as part of the exploit packet capture I posted in our earlier diary. 

In packet 13 of the pcap, the system running the exploit sends a "trans2 SESSION_SETUP" request to the victim. This happens before the actual exploit is sent. The intent of this request is to check if the system is already compromised. Infected or not, the system will respond with a "Not Implemented" message. But as part of the message, a "Multiplex ID" is returned that is 65 (0x41) for normal systems and 81 (0x51) for infected systems. If a system is infected, then SMB can be used as a covert channel to exfiltrate data or launch remote commands.

Countercept released a python script that can be used to scan systems for the presence of this backdoor. See .

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute


4271 Posts
ISC Handler
Apr 16th 2017

Sign Up for Free or Log In to start participating in the conversation!