CVE-2017-0147
published 2017-03-17CVE-2017-0147: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…
PriorityP190high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-14
Exploited in the wild
EPSS
99.69%
99.9th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| microsoft_corporation | windows_smb | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_sc2000_firmware | — | — |
| siemens | acuson_sc2000_firmware | >= 4.0 < 4.0e | 4.0e |
| siemens | acuson_x700_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
XOR key: 24db007a
- →Detect Petya/NotPetya lateral movement via SMB: look for TRANS2 SESSION_SETUP request packets carrying the Petya DLL payload in 4096-byte chunks, XOR-encoded with key 0x24db007a ↗
- →Detect Bad Rabbit dropper execution: monitor for rundll32 loading infpub.dat from C:\Windows and creation of dispci.exe in C:\Windows ↗
- →Block or alert on execution of c:\windows\infpub.dat and C:\Windows\cscc.dat as recommended by Kaspersky ↗
- →CVE-2017-0147 (EternalChampion/EternalRomance SMBv1 info-disclosure) accounted for 26.7% of all exploitation attempts in 2H 2024 — prioritize detection of SMBv1 exploitation attempts on legacy Windows systems ↗
- →Necro Python bot includes EternalRomance (CVE-2017-0147) exploit; detect Python-based SMB exploitation attempts and monitor for pyinstaller-generated PE files performing SMB scanning on port 445 ↗
- →Detect credential-stealing DLL dropped to %TEMP% and executed via rundll32 in Petya/NotPetya attacks; the tool resembles Mimikatz ↗
- →Detect PsExec usage for remote execution of Petya payload after credential theft via SMB exploitation of CVE-2017-0147 ↗
- ·Bad Rabbit uses EternalRomance (CVE-2017-0147) only for lateral movement within corporate networks after initial drive-by infection — the initial vector does NOT use this exploit ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh7q-7r6g-64g2: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14
CVE-2017-0147 [MEDIUM] CWE-200 GHSA-xh7q-7r6g-64g2: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to obtain sensitive information from process memory via a crafted packets, aka "Windows SMB Information Disclosure Vulnerability."
VulnCheck
Microsoft Windows SMBv1 Information Disclosure Vulnerability
vulncheck·2017·CVSS 7.5
CVE-2017-0147 [HIGH] CWE-200 Microsoft Windows SMBv1 Information Disclosure Vulnerability
Microsoft Windows SMBv1 Information Disclosure Vulnerability
The SMBv1 server in Microsoft Windows allows remote attackers to obtain sensitive information from process memory via a crafted packet.
Affected: Microsoft SMBv1
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://support.kaspersky.com/shadowbrokers; https://digital.nhs.uk/cyber-alerts/2017/cc-1353; https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&Comm
CISA
Microsoft Windows SMBv1 Information Disclosure Vulnerability
cisa·2022-05-24·CVSS 7.5
CVE-2017-0147 [HIGH] CWE-200 Microsoft Windows SMBv1 Information Disclosure Vulnerability
Vulnerability: Microsoft Windows SMBv1 Information Disclosure Vulnerability
Affected: Microsoft SMBv1 server
The SMBv1 server in Microsoft Windows allows remote attackers to obtain sensitive information from process memory via a crafted packet.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0147
Remediation Due Date: 2022-06-14
Microsoft
Windows SMB Information Disclosure Vulnerability
vendor_msrc·2017-03-14·CVSS 8.1
CVE-2017-0147 [HIGH] Windows SMB Information Disclosure Vulnerability
Windows SMB Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Soft
No detection rules found.
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
exploitdb·2019-10-02
CVE-2017-0148 DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description' => %q{
This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
While this module primarily performs code execution against the implant,
the "Neutralize implant" target allows you to disable the implant.
},
'Author' => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0', # DOPU analysis and detection
'Luke Jennings', # DOPU analysis and detection
'wvu', # Metasploit modul
Exploit-DB
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
exploitdb·2018-02-05
CVE-2017-0147 Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Windows XP systems that are not part of a domain default to treating all
# network logons as if they were Guest. This prevents SMB relay attacks from
# gaining administrative access to these systems. This setting can be found
# under:
#
# Local Security Settings >
# Local Policies >
# Security Options >
# Network Access: Sharing and security model for local accounts
class MetasploitModule 'MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution',
'Description' => %q{
This module will exploit
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-10
CVE-2017-0148 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
---
# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com
# Date and time of release: May, 9 2017 - 13:00PM
# Found this and more exploits on my open source security project: http://www.exploitpack.com
#
# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard
#
# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt
# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:
#
# Vu
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
exploitdb·2017-04-17
CVE-2017-0147 Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# auxiliary/scanner/smb/smb_ms_17_010
require 'msf/core'
class MetasploitModule 'MS17-010 SMB RCE Detection',
'Description' => %q{
Uses information disclosure to determine if MS17-010 has been patched or not.
Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
not have the MS17-010 patch.
This module does not require valid SMB credentials in default server
configurations. It can log on as the user "\" and connect to IPC$.
},
'Author' => [ 'Sean Dillon ' ],
'Referenc
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous logi
Metasploit
MS17-010 SMB RCE Detection
metasploit
MS17-010 SMB RCE Detection
MS17-010 SMB RCE Detection
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.
Metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec command execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
metasploit
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
This module will exploit SMB with vulnerabilities in MS17-010 to achieve a write-what-where primitive. This will then be used to overwrite the connection session information with as an Administrator session. From there, the normal psexec payload code execution is done. Exploits a type confusion between Transaction and WriteAndX requests and a race condition in Transaction requests, as seen in the EternalRomance, EternalChampion, and EternalSynergy exploits. This exploit chain is more reliable than the EternalBlue exploit, but requires a named pipe.
Metasploit
SMB DOUBLEPULSAR Remote Code Execution
metasploit
SMB DOUBLEPULSAR Remote Code Execution
SMB DOUBLEPULSAR Remote Code Execution
This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
Fortinet
Key Takeaways from the 2025 Global Threat Landscape Report | FortiGuard Labs
blogs_fortinet·2025-04-28
Key Takeaways from the 2025 Global Threat Landscape Report | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Key Takeaways from the 2025 Global Threat Landscape Report
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
By Douglas Jose Pereira dos Santos | April 28, 2025
In 2024, the FortiGuard Labs team observed a decisive shift in the threat landscape: Attackers are compressing the time between reconnaissance and compromise, and the window for defenders to respond is narrowing to days, sometimes hours.
The 2025 Global Threat Landscape Report draws on telemetry from Fortinet’s global sensor network and threat intelligence from FortiGuard Labs to deliver a clear message: the adversary advantage is accelerating. And unless organizations change how they measure and manage risk, the gap will continue to widen.
2025 Global Threat Landscape Report
Use this r
Qualys
Emotet Re-emerges with Help from TrickBot
blogs_qualys·2022-01-06
Emotet Re-emerges with Help from TrickBot
## Table of Contents
Background Information about TrickBot
Background Information about Emotet
Latest Findings for Emotet
Vulnerabilities Associated with TrickBot
Detection & Mitigation of a Emotet Attack
Emotet has recently reemerged after being taken down less than a year ago by global law enforcement as coordinated by Europol and Eurojust. The takedown was achieved after law enforcement compromised a command-and-control system, and then pushed a specially crafted update to Emotet agents that leveraged the botnet to remove itself.
Now Emotet is being resurrected with the help of TrickBot. BleepingComputer.com published two reports documenting this resurgence through both phishing campaigns and a fake Adobe Windows Installer .
## Background Information about TrickBot
## Summary
Talos
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
blogs_talos·2021-06-03
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
By Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.
### News summary
- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable systems. The bot contains exploits for more than 10 different web applications and the SMB protocol.
- Cisco Talos recently discovered the increased activity of the bot discovered in January 2021 in Cisco Secure Endpoint product telemetry, although the bot has been in development since 2015, according to its author.
- This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Exploit Public-Facing Application T1190, Scripting - T1064, Powe
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Securelist
Bad Rabbit ransomware
blogs_securelist·2017-10-24
Bad Rabbit ransomware
Authors
- Orkhan Mamedov
- Fedor Sinitsyn
- Anton Ivanov
UPDATE 27.10.2017. Decryption opportunity assessment. File recovery possibility. Verdicts
### What happened?
On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine. Here’s what a ransom message looks like for the unlucky victims:
### What is Bad Rabbit?
Bad Rabbit is a previously unknown ransomware family.
### How is Bad Rabbit distributed?
The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure. No exploits were used, so th
Securelist
Bad Rabbit ransomware
blogs_securelist·2017-10-24
Bad Rabbit ransomware
Authors
Orkhan Mamedov
Fedor Sinitsyn
Anton Ivanov
UPDATE 27.10.2017. Decryption opportunity assessment. File recovery possibility. Verdicts
## What happened?
On October 24th we observed notifications of mass attacks with ransomware called Bad Rabbit. It has been targeting organizations and consumers, mostly in Russia but there have also been reports of victims in Ukraine. Here’s what a ransom message looks like for the unlucky victims:
Runtime flags initialization routine
The full list of embedded hashes of process names:
Hash
Process name
0x4A241C3E
dwwatcher.exe
0x923CA517
McTray.exe
0x966D0415
dwarkdaemon.exe
0xAA331620
dwservice.exe
0xC8F10976
mfevtps.exe
0xE2517A14
dwengine.exe
0xE5A05A00
mcshield.exe
The partitions on the victim’s disks are encrypted with th
Checkpoint
2017-7-10 Global Cyber Attack Reports
blogs_checkpoint·2017-07-10
CVE-2017-3544 2017-7-10 Global Cyber Attack Reports
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2017-7-10 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
Security researchers have found an unsecured Amazon S3 server belonging to the World Wrestling Entertainment (WWE), which led to the possible exposure of sensitive data of over 3 million registeredusers. The researchers have also found a second database that included statistical marketing data.
The South Korean cryptocurrency exchange, Bithumb, has suffered a security breach in which threat actors have managed to steal sensitive information of the f
Checkpoint
BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
blogs_checkpoint·2017-07-03
CVE-2017-0144 BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
## Background
In the wake of WannaCry, a new cyber threat has emerged from the NSA leak. Making use of previo
Checkpoint
Threat Brief: Petya Ransomware, A Global Attack
blogs_checkpoint·2017-06-27
CVE-2017-0147 Threat Brief: Petya Ransomware, A Global Attack
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Threat Brief: Petya Ransomware, A Global Attack
A worldwide attack erupted on June 27 with a high concentration of hits in Ukraine – including the Ukrainian central bank, government office
Checkpoint
BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
blogs_checkpoint·2017-05-25
CVE-2017-0144 BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Background
Rarely does the release of an exploit have such a large impact across the
Checkpoint
Global Outbreak of WannaCry
blogs_checkpoint·2017-05-12·CVSS 8.8
CVE-2017-0143 [HIGH] Global Outbreak of WannaCry
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Global Outbreak of WannaCry
[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware . We have rep
Sentinelone
SentinelOne Detects Shadow Broker Binaries with Static AI
blogs_sentinelone·2017-04-21·CVSS 8.8
[HIGH] SentinelOne Detects Shadow Broker Binaries with Static AI
Waves of panic were sent through the cybersecurity community as suspected NSA spying tools were released by the Shadow Broker group. What appeared to be potentially one of the most damaging releases of nation-state tool, zero-day exploits was quickly neutralized. Microsoft came forward to announce that although the files contained about 20 different Windows-based exploits, previous patches to supported products rendered the attacks ineffective.
## Behind the Leak: The Shadow Broker Coming to Light
Shadow Brokers, the group behind the leak, garnered attention back in August for releasing hacking tools for routers and firewall products that were supposedly from a leading, possibly NSA-based cyberespionage team called Equation Group. Since then, security experts have suspected that the hack
Sentinelone
SentinelOne Detects Shadow Broker Binaries with Static AI
blogs_sentinelone·2017-04-21·CVSS 8.8
[HIGH] SentinelOne Detects Shadow Broker Binaries with Static AI
Waves of panic were sent through the cybersecurity community as suspected NSA spying tools were released by the Shadow Broker group. What appeared to be potentially one of the most damaging releases of nation-state tool, zero-day exploits was quickly neutralized. Microsoft came forward to announce that although the files contained about 20 different Windows-based exploits, previous patches to supported products rendered the attacks ineffective.
## Behind the Leak: The Shadow Broker Coming to Light
Shadow Brokers, the group behind the leak, garnered attention back in August for releasing hacking tools for routers and firewall products that were supposedly from a leading, possibly NSA-based cyberespionage team called Equation Group. Since then, security experts have suspected that the hack
Qualys
The Shadow Brokers Release Zero Day Exploit Tools | Qualys
blogs_qualys·2017-04-15·CVSS 8.8
[HIGH] The Shadow Brokers Release Zero Day Exploit Tools | Qualys
On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero
Qualys
The Shadow Brokers Release Zero Day Exploit Tools
blogs_qualys·2017-04-15·CVSS 8.8
[HIGH] The Shadow Brokers Release Zero Day Exploit Tools
On Friday, a hacker group known as The Shadow Brokers publicly released a large number of functional exploit tools. Several of these tools make use of zero-day vulnerabilities, most of which are in Microsoft Windows. Exploiting these vulnerabilities in many cases leads to remote code execution and full system access.
Both end-of-support and current Windows versions are impacted, including Windows 2003, XP, Vista, 7, 2008, 8, and 2012. Microsoft has released patches for each vulnerability across all supported platforms, but will not be releasing patches for end-of-support versions of Windows. It is highly recommended that any end-of-support Windows systems be replaced or isolated, as these systems will often be impacted by new vulnerabilities, without the availability of a patch.
For zero
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack
# What Is WannaCry? Analyzing the Global Ransomware Attack
### Key Takeaways
- WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
- Over 100 countries were affected by the ransomware.
- Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
- As of this posting, no money appears to have been moved from the Bitcoin wallets.
- Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
- We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the exp
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
## What Is WannaCry? Analyzing the Global Ransomware Attack
## Key Takeaways
WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
Over 100 countries were affected by the ransomware .
Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
As of this posting, no money appears to have been moved from the Bitcoin wallets.
Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the expertise
arXiv
AVScan2Vec: Feature Learning on Antivirus Scan Data for Production-Scale Malware Corpora
arxiv_fulltext·2023-06-09
AVScan2Vec: Feature Learning on Antivirus Scan Data for Production-Scale Malware Corpora
AVScan2Vec: Feature Learning on Antivirus Scan Data for Production-Scale Malware Corpora
CCSXML
10010147.10010257.10010321.10010336
Computing methodologies Feature selection
500
10002978.10002997.10002998
Security and privacy Malware and its mitigation
500
CCSXML
[500]Computing methodologies Feature selection
[500]Security and privacy Malware and its mitigation
Malware, Antivirus, Feature Learning
## Abstract
When investigating a malicious file, searching for related files is a common task that malware analysts must perform. Given that production malware corpora may contain over a billion files and consume petabytes of storage, many feature extraction and similarity search approaches are computationally infeasible. Our work explores the potential of antivirus (AV) scan data as a
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors
arxiv_fulltext·2020-11-05
Evaluating the Performance of Twitter-based Exploit Detectors
Graygray0.9
g>Grayr
G>Grayc
## Abstract
Patch prioritization is a crucial aspect of information systems security, and knowledge of which vulnerabilities were exploited in the wild is a powerful tool to help systems administrators accomplish this task. The analysis of social media for this specific application can enhance the results and bring more agility by collecting data from online discussions and applying machine learning techniques to detect real-world exploits. In this paper, we use a technique that combines Twitter data with public database information to classify vulnerabilities as exploited or not-exploited. We analyze the behavior of different classifying algorithms, investigate the influence of different antivirus data as ground truth, and experiment with various time window
CTF
17. Using the Metasploit-Framework / Using the Metasploit-Framework
ctf_writeups
17. Using the Metasploit-Framework / Using the Metasploit-Framework
# Using the Metasploit-Framework
Tags: #🧑🎓
Related to: [[metasploit framework]]
See also:
Previous: [[HTB Academy]]
![[logo_using_the_metasploit_framework.png]]
The Metasploit Framework is an open-source set of tools used for network enumeration, attacks, testing security vulnerabilities, evading detection, performing privilege escalation attacks, and performing post-exploitation.
### Cheatsheet
#### MSFconsole Commands
| **Command** | **Description** |
| :--------------- | :----------------------------------------------------------- |
| `show exploits` | Show all exploits within the Framework. |
| `show payloads` | Show all payloads within the Framework. |
| `show auxiliary` | Show all auxiliary modules within the Framework. |
| `search ` | Search for exploits or modules within the
http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96709http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/43970/http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96709http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/43970/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0147
2017-03-17
Published
2022-05-24
Added to CISA KEV
Exploited in the wild