The detection rule identifies potential execution of Doublepulsar, a known NSA-developed backdoor, which may indicate adversarial compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to advanced persistent threats leveraging this sophisticated malware.
KQL Query
//DoublePulsar execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA1 == "be855cd1bfc1e1446a3390c693f29e2a3007c04e" or
(ProcessCommandLine contains "targetport" and ProcessCommandLine contains "targetip" and
(ProcessCommandLine contains "payload" or ProcessCommandLine contains "verifybackdoor"))
id: 10a17179-d143-476d-80cd-c5a6cca66d59
name: detect-doublepulsar-execution
description: |
This query was originally published in the threat analytics report, Motivated miners.
Doublepulsar is a backdoor developed by the National Security Agency (NSA). First disclosed in 2017, it is now used by many malicious actors. Software patches are available.
The following query detects possible DoublePulsar execution events.
See Detect web server exploitation by DoublePulsar for a query that detects behaviors associated with campaigns that use DoublePulsar.
References:
https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/DoublePulsar&threatId=-2147239036
https://www.scmagazine.com/home/security-news/cybercrime/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/
https://support.microsoft.com/help/4013389/title
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
//DoublePulsar execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA1 == "be855cd1bfc1e1446a3390c693f29e2a3007c04e" or
(ProcessCommandLine contains "targetport" and ProcessCommandLine contains "targetip" and
(ProcessCommandLine contains "payload" or ProcessCommandLine contains "verifybackdoor"))
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate Microsoft Windows Update Installation
Description: Doublepulsar may be detected during the execution of a legitimate Windows Update or system patching process.
Filter/Exclusion: Check the CommandLine field for wuauclt.exe or msiexec.exe and exclude processes associated with Windows Update.
Example Filter: process.name != "wuauclt.exe" and process.name != "msiexec.exe"
Scenario: Scheduled System Maintenance Task
Description: A scheduled task running a legitimate maintenance script (e.g., schtasks.exe) may trigger the rule due to similar execution patterns.
Filter/Exclusion: Exclude tasks that are known system maintenance tasks, such as those under Task Scheduler or with names like Cleanup or Disk Defragmenter.
Example Filter: process.name != "schtasks.exe" or process.name == "schtasks.exe" and command_line contains "Cleanup"
Scenario: Admin Performing Remote Desktop Services (RDP) Session Management
Description: An administrator may be using tools like mstsc.exe or tscon.exe to manage RDP sessions, which could resemble Doublepulsar behavior.
Filter/Exclusion: Exclude processes related to RDP session management by checking the CommandLine for RDP-related commands or user context (e.g., domain\administrator).
Example Filter: process.name != "mstsc.exe" or process.name == "mstsc.exe" and command_line contains "tscon" or user == "domain\administrator"
Scenario: Legitimate Software Deployment via SCCM or MDT
Description: Software deployment tools like ccmexec.exe (System Center Configuration Manager) or setup.exe (Microsoft Deployment Toolkit) may trigger the