SMB Server DOUBLEPULSAR Backdoor / Implant Detection (EternalRocks)

This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.

Synopsis :

A backdoor exists on the remote Windows host.

Description :

Nessus detected the presence of DOUBLEPULSAR on the remote Windows
host. DOUBLEPULSAR is one of multiple Equation Group SMB implants and
backdoors disclosed on 2017/04/14 by a group known as the Shadow
Brokers. The implant allows an unauthenticated, remote attacker to use
SMB as a covert channel to exfiltrate data, launch remote commands, or
execute arbitrary code.

EternalRocks is a worm that propagates by utilizing DOUBLEPULSAR.

See also :

Solution :

Remove the DOUBLEPULSAR backdoor / implant and disable SMBv1.

Risk factor :

Critical / CVSS Base Score : 10.0
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 99439 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now