EternalGlue part two: A rebuilt NotPetya gets its first execution outside of the lab

In June 2017, we were asked by a client to rebuild NotPetya from scratch.

Instead of the data destruction payload, they asked for telemetry and safeguards. Why? Because they wanted to measure what the impact of NotPetya would have been.

Since part one of this story (which you can read here), we've completed the first phase of live testing in a secure environment deployed by our client.

It has been a marathon, not a sprint

By the time we emerged from testing the code and the associated safeguards in December 2017, we had already been working with our customer in the lab for a number of months.

This slow and steady approach has ensured everything works as intended and the quality of telemetry is sufficient to answer the client's questions.

Christmas comes early: EternalGlue's first outing

On 7 December, EternalGlue got its first outing on the customer's engineering network i.e. live but not corporate.

The result? More data than one could have imagined and interesting insights as to propagation in live environments.

The headlines were from phase one of the experiment were:

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel level access.
  • It infected those three machines.
  • Within ten minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Compromise visualisation

Due to the telemetry data collected, it facilitated the opportunity to visualise the propagation paths and methods through the network.

While obfuscating the details, the propagation map in this instance looked like this:

Which is somewhat beautiful.

Next steps

We are currently adjusting some of the exploit payloads due to them being detected by our customer's anti-virus.

EternalGlue will then be deployed into production.

Need a research-led solution?

If you need a specialist team to deliver a research-led solution, email

Published date:  15 February 2018

Written by:  Ollie Whitehouse

comments powered by Disqus

Filter By Service

Filter By Date