├── LICENSE
├── README.md
├── detect_doublepulsar_rdp.py
├── detect_doublepulsar_smb.py
└── doublepulsar_snort_rules.rules


/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2017, Countercept (https://countercept.com)
 2 | 
 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 4 | 
 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 6 | 
 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
 8 | 
 9 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
10 | 
11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Author: Luke Jennings (luke.jennings@countercept.com - @jukelennings)
 2 | 
 3 | Company: Countercept (@countercept)
 4 | 
 5 | Website: https://countercept.com
 6 | 
 7 | 
 8 | A set of python2 scripts for sweeping a list of IPs for the presence of both SMB and RDP versions of the DOUBLEPULSAR implant that was released by the Shadow Brokers. Supports both single IP checking and a list of IPs in a file with multi-threading support. The SMB version also supports the remote uninstall of the implant for remediation, which was helped by knowledge of the opcode mechanism reversed by @zerosum0x0.  
 9 | 
10 | This is an early release in the interests of allowing people to find compromises on their network now that these exploits are in the wild and no doubt being used to target organizations. It re-implements the ping command of the implant, which can be used remotely without authentication, in order to determine if a system is infected or not. Both SMB and RDP versions of the implant are supported.
11 | 
12 | Not all OS versions have been tested and some currently fail. For example, 2012 will reject the SMB sequence with ACCESS_DENIED. However, this system is not vulnerable to the ETERNALBLUE exploit and the DOUBLEPULSAR implant receives the same error when trying to ping a target. Therefore, it is possible that errors against certain windows versions may be indicative that the system is not compromised.
13 | 
14 | ## Usage
15 | ```
16 | root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
17 | [-] [192.168.175.128] No presence of DOUBLEPULSAR SMB implant
18 | 
19 | root@kali:~# python detect_doublepulsar_smb.py --ip 192.168.175.128
20 | [+] [192.168.175.128] DOUBLEPULSAR SMB IMPLANT DETECTED!!!
21 | 
22 | root@kali:~# python detect_doublepulsar_rdp.py --file ips.list --verbose --threads 1
23 | [*] [192.168.175.141] Sending negotiation request
24 | [*] [192.168.175.141] Server explicitly refused SSL, reconnecting
25 | [*] [192.168.175.141] Sending non-ssl negotiation request
26 | [*] [192.168.175.141] Sending ping packet
27 | [-] [192.168.175.141] No presence of DOUBLEPULSAR RDP implant
28 | [*] [192.168.175.143] Sending negotiation request
29 | [*] [192.168.175.143] Server chose to use SSL - negotiating SSL connection
30 | [*] [192.168.175.143] Sending SSL client data
31 | [*] [192.168.175.143] Sending ping packet
32 | [-] [192.168.175.143] No presence of DOUBLEPULSAR RDP implant
33 | [*] [192.168.175.142] Sending negotiation request
34 | [*] [192.168.175.142] Sending client data
35 | [*] [192.168.175.142] Sending ping packet
36 | [+] [192.168.175.142] DOUBLEPULSAR RDP IMPLANT DETECTED!!!
37 | 
38 | root@kali:~# python2 detect_doublepulsar_smb.py --ip 192.168.175.136 --uninstall
39 | [+] [192.168.175.136] DOUBLEPULSAR SMB IMPLANT DETECTED!!! XOR Key: 0x7c3bf3c1
40 | [+] [192.168.175.136] DOUBLEPULSAR uninstall successful
41 | ```
42 | 
43 | ## Scanning your network
44 | ```shell
45 | # target network (adapt this to your network)
46 | NETWORKRANGE=192.168.33.0/24
47 | # install the required scanning tools
48 | brew install masscan || apt-get install masscan
49 | git clone https://github.com/countercept/doublepulsar-detection-script.git
50 | cd doublepulsar-detection-script
51 | # scan open ports
52 | masscan -p445  $NETWORKRANGE > smb.lst
53 | masscan -p3389 $NETWORKRANGE > rdp.lst
54 | # clean the list of IPs
55 | sed -i "s/^.* on //" smb.lst
56 | sed -i "s/^.* on //" rdp.lst
57 | # check vulnerabilities on the hosts who have the service open
58 | python detect_doublepulsar_smb.py --file smb.lst
59 | python detect_doublepulsar_rdp.py --file rdp.lst
60 | 
61 | # Or, if you have the python netaddr library
62 | python detect_doublepulsar_smb.py --net 192.168.0.1/24
63 | ```
64 | 
65 | ## Snort
66 | This repository also contains three Snort signatures that can be used for detecting the use of the unimplemented SESSION_SETUP Trans2 command that the SMB ping utility uses and different response cases. While we do not condone the reliance on signatures for effective attack detection, due to how easily they are bypassed, these rules are highly specific and should provide some detection capability against new threat groups reusing these exploits and implants without modification.
67 | 
68 | ## More info
69 | https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/  
70 | https://zerosum0x0.blogspot.co.uk/2017/04/doublepulsar-initial-smb-backdoor-ring.html  
71 | 
72 | 


--------------------------------------------------------------------------------
/detect_doublepulsar_rdp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import binascii
  4 | import socket
  5 | import argparse
  6 | import threading
  7 | import ssl
  8 | 
  9 | 
 10 | # Packets
 11 | ssl_negotiation_request = binascii.unhexlify("030000130ee000000000000100080001000000")
 12 | non_ssl_negotiation_request = binascii.unhexlify("030000130ee000000000000100080000000000")
 13 | non_ssl_client_data = binascii.unhexlify("030001ac02f0807f658201a00401010401010101ff30190201220201020201000201010201000201010202ffff020102301902010102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff0201020482013f000500147c00018136000800100001c00044756361812801c0d800040008000005000401ca03aa09080000b01d0000000000000000000000000000000000000000000000000000000000000000000007000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca01000000000018000f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000004c00c00110000000000000002c00c001b0000000000000003c0380004000000726470647200000000008080726470736e640000000000c0647264796e766300000080c0636c6970726472000000a0c0")
 14 | ssl_client_data = binascii.unhexlify("030001ac02f0807f658201a00401010401010101ff30190201220201020201000201010201000201010202ffff020102301902010102010102010102010102010002010102020420020102301c0202ffff0202fc170202ffff0201010201000201010202ffff0201020482013f000500147c00018136000800100001c00044756361812801c0d800040008000005000401ca03aa09080000b01d0000000000000000000000000000000000000000000000000000000000000000000007000000000000000c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001ca01000000000018000f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000100000004c00c00110000000000000002c00c001b0000000000000003c0380004000000726470647200000000008080726470736e640000000000c0647264796e766300000080c0636c6970726472000000a0c0")
 15 | ping_packet = binascii.unhexlify("0300000e02f0803c443728190200")
 16 | 
 17 | # Arguments
 18 | parser = argparse.ArgumentParser(description="Detect present of DOUBLEPULSAR RDP implant\n\nAuthor: Luke Jennings\nWebsite: https://countercept.com\nTwitter: @countercept", formatter_class=argparse.RawTextHelpFormatter)
 19 | group = parser.add_mutually_exclusive_group(required=True)
 20 | group.add_argument('--ip', help='Single IP address to check')
 21 | group.add_argument('--file', help='File containing a list of IP addresses to check')
 22 | group.add_argument('--net', help='Network CIDR to check (requires python netaddr library)')
 23 | parser.add_argument('--timeout', help="Timeout on connection for socket in seconds", default=None)
 24 | parser.add_argument('--verbose', help="Verbose output for checking of commands", action='store_true')
 25 | parser.add_argument('--threads', help="Number of connection threads when checking file of IPs (default 10)", default="10")
 26 | 
 27 | args = parser.parse_args()
 28 | ip = args.ip
 29 | filename = args.file
 30 | net = args.net
 31 | timeout = args.timeout
 32 | verbose = args.verbose
 33 | num_threads = int(args.threads)
 34 | semaphore = threading.BoundedSemaphore(value=num_threads)
 35 | print_lock = threading.Lock()
 36 | 
 37 | 
 38 | def print_status(ip, message):
 39 |     global print_lock
 40 | 
 41 |     with print_lock:
 42 |         print "[*] [%s] %s" % (ip, message)
 43 | 
 44 | 
 45 | def check_ip(ip):
 46 |     global ssl_negotiation_request, non_ssl_negotiation_request, non_ssl_client_data, ssl_client_data, ping_packet, timeout, verbose
 47 | 
 48 |     # Connect to socket
 49 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 50 |     s.settimeout(float(timeout) if timeout else None)
 51 |     host = ip
 52 |     port = 3389
 53 |     s.connect((host, port))
 54 | 
 55 |     # Send/receive negotiation request
 56 |     if verbose:
 57 |         print_status(ip, "Sending negotiation request")
 58 |     s.send(ssl_negotiation_request)
 59 |     negotiation_response = s.recv(1024)
 60 | 
 61 |     # Determine if server has chosen SSL
 62 |     if len(negotiation_response) >= 19 and negotiation_response[11] == "\x02" and negotiation_response[15] == "\x01":
 63 |         if verbose:
 64 |             print_status(ip, "Server chose to use SSL - negotiating SSL connection")
 65 |         sock = ssl.wrap_socket(s)
 66 |         s = sock
 67 | 
 68 |         # Send/receive ssl client data
 69 |         if verbose:
 70 |             print_status(ip, "Sending SSL client data")
 71 |         s.send(ssl_client_data)
 72 |         s.recv(1024)
 73 | 
 74 |     # Server explicitly refused SSL
 75 |     elif len(negotiation_response) >= 19 and negotiation_response[11] == "\x03" and negotiation_response[15] == "\x02":
 76 |         if verbose:
 77 |             print_status(ip, "Server explicitly refused SSL, reconnecting")
 78 | 
 79 |         # Re-connect
 80 |         s.close()
 81 |         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 82 |         s.settimeout(float(timeout) if timeout else None)
 83 |         s.connect((host, port))
 84 | 
 85 |         # Send/receive non-ssl negotiation request
 86 |         if verbose:
 87 |             print_status(ip, "Sending non-ssl negotiation request")
 88 |         s.send(non_ssl_negotiation_request)
 89 |         s.recv(1024)
 90 | 
 91 |     # Server requires NLA which implant does not support
 92 |     elif len(negotiation_response) >= 19 and negotiation_response[11] == "\x03" and negotiation_response[15] == "\x05":
 93 |         with print_lock:
 94 |             print "[-] [%s] Server requires NLA, which DOUBLEPULSAR does not support" % ip
 95 | 
 96 |         s.close()
 97 |         return
 98 | 
 99 |     # Carry on non-ssl
100 |     else:
101 |         # Send/receive non-ssl client data
102 |         if verbose:
103 |             print_status(ip, "Sending client data")
104 |         s.send(non_ssl_client_data)
105 |         s.recv(1024)
106 | 
107 |     # Send/receive ping
108 |     if verbose:
109 |         print_status(ip, "Sending ping packet")
110 |     s.send(ping_packet)
111 | 
112 |     # Non-infected machines terminate connection, infected send a response
113 |     try:
114 |         ping_response = s.recv(1024)
115 | 
116 |         with print_lock:
117 |             if len(ping_response) == 288:
118 |                 print "[+] [%s] DOUBLEPULSAR RDP IMPLANT DETECTED!!!" % ip
119 |             else:
120 |                 print "[-] [%s] Status Unknown - Response received but length was %d not 288" % (ip, len(ping_response))
121 |         s.close()
122 |     except socket.error as e:
123 |         with print_lock:
124 |             print "[-] [%s] No presence of DOUBLEPULSAR RDP implant" % ip
125 | 
126 | 
127 | def threaded_check(ip_address):
128 |     global semaphore
129 | 
130 |     try:
131 |         check_ip(ip_address)
132 |     except Exception as e:
133 |         with print_lock:
134 |             print "[ERROR] [%s] - %s" % (ip_address, e)
135 |     finally:
136 |         semaphore.release()
137 | 
138 | 
139 | if ip:
140 |     check_ip(ip)
141 | 
142 | elif filename:
143 |     with open(filename, "r") as fp:
144 |         for line in fp:
145 |             semaphore.acquire()
146 |             ip_address = line.strip()
147 |             t = threading.Thread(target=threaded_check, args=(ip_address,))
148 |             t.start()
149 | elif net:
150 |     from netaddr import IPNetwork
151 |     network = IPNetwork(net)
152 |     for addr in network:
153 |         # Skip the network and broadcast addresses
154 |         if ((network.size != 1) and ((addr == network.network) or (addr == network.broadcast))):
155 |             continue
156 |         semaphore.acquire()
157 |         ip_address = str(addr)
158 |         t = threading.Thread(target=threaded_check, args=(ip_address,))
159 |         t.start()
160 | 
161 | 
162 | 


--------------------------------------------------------------------------------
/detect_doublepulsar_smb.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | import binascii
  4 | import socket
  5 | import argparse
  6 | import struct
  7 | import threading
  8 | 
  9 | 
 10 | # Packets
 11 | negotiate_protocol_request = binascii.unhexlify("00000085ff534d4272000000001853c00000000000000000000000000000fffe00004000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200")
 12 | session_setup_request = binascii.unhexlify("00000088ff534d4273000000001807c00000000000000000000000000000fffe000040000dff00880004110a000000000000000100000000000000d40000004b000000000000570069006e0064006f007700730020003200300030003000200032003100390035000000570069006e0064006f007700730020003200300030003000200035002e0030000000")
 13 | tree_connect_request = binascii.unhexlify("00000060ff534d4275000000001807c00000000000000000000000000000fffe0008400004ff006000080001003500005c005c003100390032002e003100360038002e003100370035002e003100320038005c00490050004300240000003f3f3f3f3f00")
 14 | trans2_session_setup = binascii.unhexlify("0000004eff534d4232000000001807c00000000000000000000000000008fffe000841000f0c0000000100000000000000a6d9a40000000c00420000004e0001000e000d0000000000000000000000000000")
 15 | 
 16 | # Arguments
 17 | parser = argparse.ArgumentParser(description="Detect present of DOUBLEPULSAR SMB implant\n\nAuthor: Luke Jennings\nWebsite: https://countercept.com\nTwitter: @countercept", formatter_class=argparse.RawTextHelpFormatter)
 18 | group = parser.add_mutually_exclusive_group(required=True)
 19 | group.add_argument('--ip', help='Single IP address to check')
 20 | group.add_argument('--file', help='File containing a list of IP addresses to check')
 21 | group.add_argument('--net', help='Network CIDR to check (requires python netaddr library)')
 22 | parser.add_argument('--timeout', help="Timeout on connection for socket in seconds", default=None)
 23 | parser.add_argument('--verbose', help="Verbose output for checking of commands", action='store_true')
 24 | parser.add_argument('--threads', help="Number of connection threads when checking file of IPs (default 10)", default="10")
 25 | parser.add_argument('--uninstall', help="Uninstall DOUBLEPULSAR if found", action='store_true')
 26 | 
 27 | args = parser.parse_args()
 28 | ip = args.ip
 29 | filename = args.file
 30 | net = args.net
 31 | timeout = args.timeout
 32 | verbose = args.verbose
 33 | num_threads = int(args.threads)
 34 | uninstall = args.uninstall
 35 | semaphore = threading.BoundedSemaphore(value=num_threads)
 36 | print_lock = threading.Lock()
 37 | 
 38 | 
 39 | # https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html
 40 | def calculate_doublepulsar_xor_key(s):
 41 |     x = (2 * s ^ (((s & 0xff00 | (s << 16)) << 8) | (((s >> 16) | s & 0xff0000) >> 8)))
 42 |     x = x & 0xffffffff  # this line was added just to truncate to 32 bits
 43 |     return x
 44 | 
 45 | 
 46 | # The arch is adjacent to the XOR key in the SMB signature
 47 | def calculate_doublepulsar_arch(s):
 48 |     if s & 0xffffffff00000000 == 0:
 49 |         return "x86 (32-bit)"
 50 |     else:
 51 |         return "x64 (64-bit)"
 52 | 
 53 | 
 54 | def print_status(ip, message):
 55 |     global print_lock
 56 | 
 57 |     with print_lock:
 58 |         print "[*] [%s] %s" % (ip, message)
 59 | 
 60 | 
 61 | def check_ip(ip):
 62 |     global negotiate_protocol_request, session_setup_request, tree_connect_request, trans2_session_setup, timeout, verbose
 63 | 
 64 |     # Connect to socket
 65 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 66 |     s.settimeout(float(timeout) if timeout else None)
 67 |     host = ip
 68 |     port = 445
 69 |     s.connect((host, port))
 70 | 
 71 |     # Send/receive negotiate protocol request
 72 |     if verbose:
 73 |         print_status(ip, "Sending negotiation protocol request")
 74 |     s.send(negotiate_protocol_request)
 75 |     s.recv(1024)
 76 | 
 77 |     # Send/receive session setup request
 78 |     if verbose:
 79 |         print_status(ip, "Sending session setup request")
 80 |     s.send(session_setup_request)
 81 |     session_setup_response = s.recv(1024)
 82 | 
 83 |     # Extract user ID from session setup response
 84 |     user_id = session_setup_response[32:34]
 85 |     if verbose:
 86 |         print_status(ip, "User ID = %s" % struct.unpack("<H", user_id)[0])
 87 | 
 88 |     # Replace user ID in tree connect request packet
 89 |     modified_tree_connect_request = list(tree_connect_request)
 90 |     modified_tree_connect_request[32] = user_id[0]
 91 |     modified_tree_connect_request[33] = user_id[1]
 92 |     modified_tree_connect_request = "".join(modified_tree_connect_request)
 93 | 
 94 |     # Send tree connect request
 95 |     if verbose:
 96 |         print_status(ip, "Sending tree connect")
 97 |     s.send(modified_tree_connect_request)
 98 |     tree_connect_response = s.recv(1024)
 99 | 
100 |     # Extract tree ID from response
101 |     tree_id = tree_connect_response[28:30]
102 |     if verbose:
103 |         print_status(ip, "Tree ID = %s" % struct.unpack("<H", tree_id)[0])
104 | 
105 |     # Replace tree ID and user ID in trans2 session setup packet
106 |     modified_trans2_session_setup = list(trans2_session_setup)
107 |     modified_trans2_session_setup[28] = tree_id[0]
108 |     modified_trans2_session_setup[29] = tree_id[1]
109 |     modified_trans2_session_setup[32] = user_id[0]
110 |     modified_trans2_session_setup[33] = user_id[1]
111 |     modified_trans2_session_setup = "".join(modified_trans2_session_setup)
112 | 
113 |     # Send trans2 sessions setup request
114 |     if verbose:
115 |         print_status(ip, "Sending trans2 session setup - ping command")
116 |     s.send(modified_trans2_session_setup)
117 |     final_response = s.recv(1024)
118 | 
119 |     # Check for 0x51 response to indicate DOUBLEPULSAR infection
120 |     if final_response[34] == "\x51":
121 |         signature = final_response[18:26]
122 |         signature_long = struct.unpack('<Q', signature)[0]
123 |         key = calculate_doublepulsar_xor_key(signature_long)
124 |         arch = calculate_doublepulsar_arch(signature_long)
125 |         with print_lock:
126 |             print "[+] [%s] DOUBLEPULSAR SMB IMPLANT DETECTED!!! Arch: %s, XOR Key: %s" % (ip, arch, hex(key))
127 | 
128 |         if uninstall:
129 |             # Update MID and op code via timeout
130 |             modified_trans2_session_setup = list(modified_trans2_session_setup)
131 |             modified_trans2_session_setup[34] = "\x42"
132 |             modified_trans2_session_setup[49] = "\x0e"
133 |             modified_trans2_session_setup[50] = "\x69"
134 |             modified_trans2_session_setup[51] = "\x00"
135 |             modified_trans2_session_setup[52] = "\x00"
136 |             modified_trans2_session_setup = "".join(modified_trans2_session_setup)
137 | 
138 |             if verbose:
139 |                 print_status(ip, "Sending trans2 session setup - uninstall/burn command")
140 |             s.send(modified_trans2_session_setup)
141 |             uninstall_response = s.recv(1024)
142 |             if uninstall_response[34] == "\x52":
143 |                 with print_lock:
144 |                     print "[+] [%s] DOUBLEPULSAR uninstall successful" % ip
145 | 
146 |     else:
147 |         with print_lock:
148 |             print "[-] [%s] No presence of DOUBLEPULSAR SMB implant" % ip
149 | 
150 |     s.close()
151 | 
152 | 
153 | def threaded_check(ip_address):
154 |     global semaphore
155 | 
156 |     try:
157 |         check_ip(ip_address)
158 |     except Exception as e:
159 |         with print_lock:
160 |             print "[ERROR] [%s] - %s" % (ip_address, e)
161 |     finally:
162 |         semaphore.release()
163 | 
164 | if ip:
165 |     check_ip(ip)
166 | 
167 | elif filename:
168 |     with open(filename, "r") as fp:
169 |         for line in fp:
170 |             semaphore.acquire()
171 |             ip_address = line.strip()
172 |             t = threading.Thread(target=threaded_check, args=(ip_address,))
173 |             t.start()
174 | 
175 | elif net:
176 |     from netaddr import IPNetwork
177 |     network = IPNetwork(net)
178 |     for addr in network:
179 |         # Skip the network and broadcast addresses
180 |         if (network.size != 1) and ((addr == network.network) or (addr == network.broadcast)):
181 |             continue
182 |         semaphore.acquire()
183 |         ip_address = str(addr)
184 |         t = threading.Thread(target=threaded_check, args=(ip_address,))
185 |         t.start()
186 | 


--------------------------------------------------------------------------------
/doublepulsar_snort_rules.rules:
--------------------------------------------------------------------------------
 1 | # Authors: Jayden Zheng (@fuseyjz) and Wei-Chea Ang (@77_6A)
 2 | # Company: Countercept
 3 | # Website: https://countercept.com
 4 | # Twitter: @countercept
 5 | 
 6 | alert tcp any any -> $HOME_NET 445 (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand Request"; flow:to_server, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|0E 00|"; distance:56; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618009; classtype:attempted-user; rev:1;)
 7 | 
 8 | alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 81 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|51 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618008; classtype:attempted-user; rev:1;)
 9 | 
10 | alert tcp $HOME_NET 445 -> any any (msg:"DOUBLEPULSAR SMB implant - Unimplemented Trans2 Session Setup Subcommand - 82 Response"; flow:to_client, established; content:"|FF|SMB|32|"; depth:5; offset:4; content:"|52 00|"; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618010; classtype:attempted-user; rev:1;)
11 | 


--------------------------------------------------------------------------------