28 Jun. 2017

EternalRomance vs Internet Security Suites and nextgen protections

By Zoltan Balazs, @zh4ckJuly 10, 2018|  Endpoint Protection Testing, Nextgen Protection Testing

This blog post is an auxiliary post to our Eternalblue test. If you have not read that, please read it, and go back when it is done.

So here we are again, with #NotPetya. According to Microsoft, #NotPetya spreads via 4 ways.

  1. MeDoc auto update (initial infection)
  2. EternalBlue exploit
  3. EternalRomance exploit
  4. Credential stealing (multiple methods)

This post will only focus on EternalRomance. To refer to the EternalBlue infection vector, check our previous post.

To protect against credential stealing, you should either use latest Windows where lsass runs as a protected process. Or use different local admin passwords on different machines. But this second method only won’t help with RDP credentials left in memory.

To protect against MeDoc auto update, remove MeDoc.  ;-p

Now, let’s go back to EternalRomance, shall we? This post will be updated as I have more time to test. At the moment, I can confirm the followings to protect against EternalRomance:

  1. Eset Smart Security blocks the EternalRomance exploit
  2. HitmanPro.Alert blocks any payloads started from DoublePulsar
  3. Kaspersky Internet Security blocks the DoublePulsar install
  4. Symantec Endpoint Protection blocks the network access to the DP backdoor
  5. SentinelOne blocks any payloads started from DoublePulsar (Meterpreter, Peddlecheap tested)

ESET blocking the exploit

HitmanPro.Alert blocking the payload

Kaspersky blocking DP install

Symantec blocking access to DP

SentinelOne blocking the payload insert

Regarding EternalRomance, this exploit is not as sexy as EternalBlue when it comes to supported OS versions like Windows 7. In Windows 7 (and later), by default, Anonymous SMB connections can’t access named pipes. And this exploit needs access to a named pipe. So either the system is misconfigured to allow anonymous access to named pipes, or the attacker has credentials to the system.


In our last post, we mentioned how Cylance is not protecting against EternalBlue. In this post, we would like to mention that we can confirm that CylanceProtect really can detect and stop the #NotPetya malware payload without any recent updates. And this is nice.

Also, other nextgen vendors blocked the #NotPetya payload on the first minute, like Crowdstrike or Endgame. Which is also nice.

This is a bit offtopic, but if you would like to see #NotPetya spreading through credential reuse, here it is fresh out from our lab: