DOUBLEPULSAR Backdoor Detection with Nessus and PVS

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Last week many of us in the industry were busy investigating a large cache of weaponized software exploits and payloads released by the ShadowBrokers group. One particular payload that received much attention was the DOUBLEPULSAR implant.

DOUBLEPULSAR is a covert command and control channel that can be used to control a compromised target. While many of the exploits that were released by the Shadow Brokers dump allow attackers to compromise a target, DOUBLEPULSAR can be used to maintain control of that compromised target in a covert manner. Attackers communicate with compromised targets using the Transaction 2 Subcommand Extension SMB feature, a feature that has not officially been used in SMB so far. If a system is compromised, an attacker can gather sensitive data, execute commands, or use the system to launch attacks against other systems in your network.

Systems that are compromised by DOUBLEPULSAR will respond to a trans2 SESSION_SETUP with a Not Implemented message that contains a Multiplex ID of 81 while a system that is not compromised will respond with the same message and a Multiplex ID of 65.


DOUBLEPULSAR can be identified by both Nessus® and PVS™. Tenable customers can use Nessus plugin ID 99439 to actively scan their networks for any hosts that are compromised.


In addition to actively scanning for DOUBLEPULSAR, PVS customers can leverage Plugin 700059 to listen for connections to compromised targets.


SecurityCenter® users can quickly identify all hosts compromised by DOUBLEPULSAR by leveraging the Shadow Brokers Vulnerability Detection dashboard. This dashboard was updated to include DOUBLEPULSAR, please re-download the dashboard to get the updated matrix.


The presence of DOUBLEPULSAR is not just a potential vulnerability on a system in your network. It means that the target is compromised and can be potentially used to exfiltrate highly sensitive data or run arbitrary commands on the system. There have been reports of scripts actively scanning the internet looking for the existence of this backdoor. By using Nessus and PVS, you can identify any compromised hosts and cut off access.

Many thanks to Andrew Orr and Ian Parker for their contributions to this blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?