Everything begins with the monitoring and previous study of the objective (in our case EvilCorp) by the attacker in the reconnaissance phase, which allows him to generate a very credible directed phishing email due to information obtained such as operating system and software used (including versions), users, emails, shared resources, network addressing, etc...
Suppose that a user of the financial department (Windows 10 - IP 136) clicks on the link included in the phishing email, which is a dropper not detected by any antivirus (AV), this feature is common since it is not really malicious the program itself but the file that it later downloads and executes, which is Ramsonware itself.
The attacker obtains information from Evilcorp using Windows technology, due to the metadata of the reconnaissance phase. In our example we are going to choose that the attacker instead of implementing a ransomware prefers to implement malware, to take control of all the possible machines, vulnerable to a known exploit. The file that it runs includes the exploit MS17-010 Eternalblue that made Wannacry so popular and launches it against the rest of the computers in the local production network, for example, 1 updated Windows 7 (Desktop121 - IP 121) and another Windows 7 ( Desktop120 - IP 120) which is missing some patches, among them the MS17-010 because it has its own application installed and it is not convenient to update the operating system due to possible incompatibility.
The updated Desktop121 computer responds to the first communication of the exploit, since it is an SMB request. In the following communication instead, the attacker (in this case Desktop136) does not receive an answer to the exploit. The case of outdated computer Desktop120 is different, it responds to both the first SMB request and the subsequent payload that contains the exploit, thus generating the Eternalblue backdoor and remaining under the control of the attacker.
So far, the phases of reconnaissance and exploitation that have taken place in a real attack have been defined.
Viewing in redBorder Platform
We can see it reflected in the section of Intrusion with the following signatures:
- ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010
- OS-WINDOWS Microsoft Windows SMB remote code execution attempt
- ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
- ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
The detection of the Eternalblue exploit is based on the Snort rule that includes the response string given in the "echo" of the SMBv1 protocol, specifically the string \ x4a \ x6c \ x4a \ x6d \ x49 \ x68 \ x43 \ x6c \ x42 \ x73 \ x72 \ x00 which is actually "JlJmIhClBsr".
Additionally, if you wish, you can check the platform itself, indicating the RAW mode in the Intrusion view:
Once the rule is located, click on the button on the right:
Again, click again on the button on the right that now appears with the information icon:
We enter the RAW mode of the event itself:
Now we have two options, see the rule itself or see the captured traffic that has made that rule:
You can see more information about Eternalblue and the rules in the following links: