Executive Risk Summary
"The SMBv1 server in Microsoft Windows is vulnerable to a remote information disclosure vulnerability, allowing attackers to obtain sensitive information from process memory via crafted packets. This vulnerability can be exploited by remote attackers to gain access to sensitive information, potentially leading to further exploitation."
Anticipated Attack Path
- 1. Initial Exploitation: Attacker sends crafted packets to the SMBv1 server
- 2. Information Disclosure: Attacker obtains sensitive information from process memory
- 3. Post-Exploitation: Attacker potentially uses obtained information for further exploitation
Am I Vulnerable?
- Verify if SMBv1 is enabled on the system
- Check for any suspicious network activity related to SMBv1
- Apply the recommended patch to mitigate the vulnerability
Operational Audit Arsenal
Target Type Service
Target Asset srvsvc
Standard Path Windows Registry: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer
PowerShell
# 🛠️ Senior Engineer Universal Audit
# Target: srvsvc (Service)
$Targets = 'srvsvc'
$SearchPaths = @("$env:windir\System32", "$env:ProgramFiles", "${env:ProgramFiles(x86)}")
Get-ChildItem -Path $SearchPaths -Include $Targets -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, @{Name="Version";Expression={$_.VersionInfo.ProductVersion}}Patch Impact Forecast
Reboot Required Likely
Potential disruption to file and printer sharing services
Internal Work Notes
CVE-2017-0147: Windows SMB Information Disclosure Vulnerability - Apply patch and verify SMBv1 is disabled
Technical Intelligence & Operational Utilities • Delivered Weekly
Intelligence Sources
Official Advisoryhttp://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
Official Advisoryhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
Official Advisoryhttp://www.securityfocus.com/bid/96709
Official Advisoryhttp://www.securitytracker.com/id/1037991
Official Advisoryhttps://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
Official Advisoryhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
Official Advisoryhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
MSRC Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147
Official Advisoryhttps://www.exploit-db.com/exploits/41891/
Official Advisoryhttps://www.exploit-db.com/exploits/41987/
Official Advisoryhttps://www.exploit-db.com/exploits/43970/
Official Advisoryhttp://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.html
Official Advisoryhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.html
Official Advisoryhttp://www.securityfocus.com/bid/96709
Official Advisoryhttp://www.securitytracker.com/id/1037991
Official Advisoryhttps://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdf
Official Advisoryhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdf
Official Advisoryhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
MSRC Advisoryhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147
Official Advisoryhttps://www.exploit-db.com/exploits/41891/
Official Advisoryhttps://www.exploit-db.com/exploits/41987/
Official Advisoryhttps://www.exploit-db.com/exploits/43970/
Official Advisoryhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0147
Related Microsoft Threats
Data compiled from NVD, MSRC, and CISA KEV Catalog. Intelligence synthesized via AI. Scripts provided for diagnostic purposes under MIT License.