Files
Anthropic-Cybersecurity-Skills/skills/exploiting-ms17-010-eternalblue-vulnerability/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.6 KiB

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf, mitre_attack
name description domain subdomain tags version author license d3fend_techniques nist_csf mitre_attack
exploiting-ms17-010-eternalblue-vulnerability MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it cybersecurity red-teaming
red-team
adversary-simulation
mitre-attack
exploitation
post-exploitation
eternalblue
smb
remote-code-execution
1.0 mahipal Apache-2.0
Application Protocol Command Analysis
Network Isolation
Network Traffic Analysis
Client-server Payload Profiling
Platform Monitoring
ID.RA-01
GV.OV-02
DE.AE-07
T1595
T1190
T1059
T1078

Exploiting MS17-010 EternalBlue Vulnerability

Overview

MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.

When to Use

  • When performing authorized security testing that involves exploiting ms17 010 eternalblue vulnerability
  • When analyzing malware samples or attack artifacts in a controlled environment
  • When conducting red team exercises or penetration testing engagements
  • When building detection capabilities based on offensive technique understanding

Prerequisites

  • Familiarity with red teaming concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

MITRE ATT&CK Mapping

  • T1210 - Exploitation of Remote Services
  • T1190 - Exploit Public-Facing Application
  • T1569.002 - System Services: Service Execution

Workflow

Phase 1: Vulnerability Scanning

  1. Scan target networks for SMB port 445
  2. Check for SMBv1 protocol support
  3. Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
  4. Document vulnerable systems with OS version and patch level

Phase 2: Exploitation

  1. Select appropriate exploit variant based on target OS
  2. Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
  3. Execute exploit against confirmed vulnerable target
  4. Verify code execution and establish session

Phase 3: Post-Exploitation

  1. Establish persistence on compromised system
  2. Dump credentials from memory
  3. Use compromised host as pivot point
  4. Document exploitation evidence

Tools and Resources

Tool Purpose
Nmap ms-17-010 NSE scripts Vulnerability detection
Metasploit ms17_010_eternalblue Exploitation module
Metasploit ms17_010_psexec Alternative exploitation
AutoBlue-MS17-010 Standalone Python exploit
CrackMapExec Mass SMB vulnerability scanning

Detection Indicators

  • IDS/IPS signatures for EternalBlue exploit traffic
  • SMBv1 negotiation from unusual source hosts
  • Event ID 7045: New service installation after exploitation
  • Anomalous named pipe activity on SMB
  • Large SMB write requests characteristic of buffer overflow

Validation Criteria

  • Vulnerable systems identified via scanning
  • Exploitation achieved on authorized target
  • Code execution confirmed with session established
  • Post-exploitation activities documented
  • Remediation recommendations provided