Palo Alto Alert Details
Alert ID: PAN-EXPLOIT-1210-7842 Alert Time: 2024-02-25 16:30:45 EST Severity: CRITICAL (95/100) Source: Palo Alto Networks Threat Prevention Rule: “EternalBlue Exploit Attempt (MS17-010) Detected” MITRE ATT&CK: T1210 – Exploitation of Remote Services
Alert Details:
Detection: EternalBlue (MS17-010) exploit attempt against internal host
Threat ID: 38852 (EternalBlue SMB Exploit) Source IP: 192.168.45.78 (ENG-WS-045 – Engineering) Destination IP: 192.168.10.20 (FILE-SRV-02 – File Server) Destination Port: 445 (SMB) Time: 16:25-16:30 EST Action: BLOCKED (IPS)
Exploit Details:
Vulnerability: CVE-2017-0144 (EternalBlue)
CVSS: 9.3 (Critical)
Affected: SMBv1 protocol
Attempts: 12 in 5 seconds
Payload: Shellcode attempting to execute meterpreter reverse shell
Additional Context:
Source host ENG-WS-045 had been flagged earlier for suspicious activity
Destination FILE-SRV-02 is unpatched? (MS17-010 patch missing)
Exploit blocked by IPS; no compromise
Threat Intelligence:
EternalBlue used by ransomware (WannaCry, NotPetya)
Indicates attacker attempting lateral movement
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Palo Alto alert
Panorama Logs
Confirmed EternalBlue exploit attempt
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host has Cobalt Strike beacon (compromised)
3. Immediate Action
Isolate source host
CrowdStrike
ENG-WS-045 quarantined
4. Destination Check
Verify FILE-SRV-02 patch status
SCCM, Nessus
FILE-SRV-02 MISSING MS17-010 patch
5. Patch Destination
Apply emergency patch
SCCM
MS17-010 installed on FILE-SRV-02
6. Threat Hunting
Check for other exploit attempts
Palo Alto, Splunk
No other EternalBlue attempts found
Jira Incident Report
Ticket: SOC-2024-129 Summary: T1210 – EternalBlue Exploit Attempt from Compromised Engineering Host Status: RESOLVED Resolution: MALICIOUS – Exploit Blocked Priority: P1 – CRITICAL Labels: T1210, exploitation, remote-services, eternalblue, palo-alto, lateral-movement Components: Network-Security, Vulnerability-Management
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Palo Alto Networks Threat Prevention.
Alert: “EternalBlue Exploit Attempt (MS17-010) Detected”.
Source: 192.168.45.78 (ENG-WS-045 – Engineering Workstation).
Destination: 192.168.10.20 (FILE-SRV-02 – File Server).
Time: 2024-02-25 16:30 EST.
Technique: MITRE ATT&CK T1210 – Exploitation of Remote Services.
2. Technical Analysis:
Attack Chain:
15:30 – ENG-WS-045 compromised via phishing (Cobalt Strike)
16:00 – Attacker performs internal reconnaissance
16:25 – Attacker launches EternalBlue exploit against file server
16:25-16:30 – 12 exploit attempts
16:30 – Palo Alto IPS blocks and alerts
Exploit Details:
Vulnerability: MS17-010 (EternalBlue)
Target: SMBv1 service on FILE-SRV-02
Payload: Meterpreter reverse shell to attacker C2
Status: Blocked by IPS; no compromise
Source Host Analysis (ENG-WS-045):
Cobalt Strike beacon detected (CrowdStrike alert)
Attacker had full control
Used as pivot for lateral movement
Isolated after detection
Destination Host Status:
FILE-SRV-02 was MISSING MS17-010 patch
Vulnerable to EternalBlue
Exploit would have succeeded if not blocked
3. Investigation Findings:
Timeline:
15:30 – ENG-WS-045 compromised
16:00-16:25 – Reconnaissance
16:25-16:30 – Exploit attempts
16:30 – Palo Alto alert
16:32 – SOC investigates
16:33 – ENG-WS-045 isolated
16:35 – FILE-SRV-02 patched
Indicators of Compromise (IoCs):
Network:
– Source: 192.168.45.78 (compromised)
– Destination: 192.168.10.20
– Exploit signature: EternalBlue (MS17-010)
Host:
– ENG-WS-045: Cobalt Strike beacon (SHA256: b2c3d4e5…)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Blocked any further traffic from source.
Applied MS17-010 patch to FILE-SRV-02 (emergency).
Verified patch installed.
Source Remediation:
Full forensic analysis of ENG-WS-045.
Cobalt Strike beacon removed.
Host reimaged.
Enterprise-Wide Actions:
Scanned all servers for MS17-010 patch status.
Found 3 additional servers missing patch; patched.
5. Root Cause Analysis:
Primary Cause: Compromised engineering workstation used to launch lateral movement.
Contributing Factors:
File server unpatched (MS17-010 missing).
SMBv1 enabled (should be disabled).
No network segmentation limiting SMB traffic.
6. Business Impact:
Operational Impact: File server offline for 30 minutes (patching).
Security Impact: Exploit blocked; no compromise.
7. Remediation & Prevention:
Completed Actions:
Exploit blocked.
Source isolated.
Destination patched.
Enterprise-wide patch scan.
Technical Controls Enhanced:
Disabled SMBv1 enterprise-wide via GPO.
Implemented network segmentation to limit lateral movement.
Enhanced IPS signatures.
Regular vulnerability scanning enforced.
8. Conclusion:
An attacker used a compromised engineering workstation to attempt EternalBlue exploitation against an unpatched file server. Palo Alto IPS blocked the exploit, preventing lateral movement. The source host was isolated, and the destination was patched.
Closure Rationale: Exploit blocked; source isolated; destination patched.
Analyst: [Walter White], SOC Analyst Date: 2024-02-25 17:30 EST