Exploiting MS17-010 EternalBlue Vulnerability
Overview
MS17-010 (EternalBlue) is a critical vulnerability in Microsoft's SMBv1 implementation that allows remote code execution. Originally discovered by the NSA and leaked by the Shadow Brokers in 2017, it was used in the WannaCry and NotPetya ransomware campaigns. Despite patches being available since March 2017, many organizations still have unpatched systems, making it a viable red team exploitation vector especially in legacy environments.
MITRE ATT&CK Mapping
- T1210 - Exploitation of Remote Services
- T1190 - Exploit Public-Facing Application
- T1569.002 - System Services: Service Execution
Implementation Steps
Phase 1: Vulnerability Scanning
- Scan target networks for SMB port 445
- Check for SMBv1 protocol support
- Run MS17-010 vulnerability check (Nmap NSE script or Metasploit auxiliary)
- Document vulnerable systems with OS version and patch level
Phase 2: Exploitation
- Select appropriate exploit variant based on target OS
- Configure exploit payload (Meterpreter, Cobalt Strike beacon, custom shellcode)
- Execute exploit against confirmed vulnerable target
- Verify code execution and establish session
Phase 3: Post-Exploitation
- Establish persistence on compromised system
- Dump credentials from memory
- Use compromised host as pivot point
- Document exploitation evidence
Tools and Resources
| Tool | Purpose |
|---|---|
| Nmap ms-17-010 NSE scripts | Vulnerability detection |
| Metasploit ms17_010_eternalblue | Exploitation module |
| Metasploit ms17_010_psexec | Alternative exploitation |
| AutoBlue-MS17-010 | Standalone Python exploit |
| CrackMapExec | Mass SMB vulnerability scanning |
Detection Indicators
- IDS/IPS signatures for EternalBlue exploit traffic
- SMBv1 negotiation from unusual source hosts
- Event ID 7045: New service installation after exploitation
- Anomalous named pipe activity on SMB
- Large SMB write requests characteristic of buffer overflow
Validation Criteria
- [ ] Vulnerable systems identified via scanning
- [ ] Exploitation achieved on authorized target
- [ ] Code execution confirmed with session established
- [ ] Post-exploitation activities documented
- [ ] Remediation recommendations provided
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
- ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
- NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
- NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add exploiting-ms17-010-eternalblue-vulnerability
# Or load dynamically via MCP
grc.load_skill("exploiting-ms17-010-eternalblue-vulnerability")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.