How to Detect EternalBlue Exploitation
Yara-X + PacketSmith
Introduction
On February 05, 2026, we released version 5 of PacketSmith, featuring a new detection module that seamlessly integrates Yara-X with most of the protocols supported by PacketSmith. To demonstrate the capabilities of these new features, we published a sneak-peek article focusing on the detection of DNS tunnelling in Denis’s Backdoor. In the accompanying documentation, we provide more sophisticated and non-trivial examples that showcase the powerful interplay between PacketSmith and Yara-X's native pattern matching capabilities. For instance, we explain how to detect attempted exploitation of CVE-2024-38063, which involves checking the IPv6 extensions.
In this article, we provide another example, showcasing how to detect the famous EternalBlue exploitation vector (CVE-2017-0144).
Detection Logic
A custom Yara-X rule that uses the pattern identifiers (objects) tcp, flow and port, could be derived similar to the following to detect the anomalous part where the Data Displacement word value is greater than the word value of the field Total Data Count.
rule smb_memory_corruption_vuln_cve_2017_0144_v3
{
meta:
description = "CVE-2017-0144"
tags = "shadowbroker, eternalblue"
filter = "Frames (frames:)"
reference = "https://nvd.nist.gov/vuln/detail/cve-2017-0144"
author = "Netomize"
date = "12/02/2026"
strings:
// SMB Command: Trans2 Secondary (0x33)
$smb_trans2 = { ff 53 4d 42 33 00 00 00 00 }
condition:
tcp.is_set and flow.to_server and (port.dst == 445 or port.dst == 139)
and
with smb_pkt = tcp.data.offset + 4:
(
// early exit
$smb_trans2 at smb_pkt
and
with total_data_count = uint16(smb_pkt + 9 + 26),
data_displacement = uint16(smb_pkt + 9 + 38):
(
data_displacement > total_data_count
)
)
}
The first line in the detection logic should be self-explanatory: tcp.is_set and flow.to_server and (port.dst == 445 or port.dst == 139). Since we are using the frames filter, which checks every packet, it is advised to use the Boolean expression tcp.is_set to ensure that we are dealing with a TCP packet.
The aliased smb_pkt offset in (smb_pkt = tcp.data.offset + 4) skips the first 4 bytes, which is the NetBIOS Session service. With this expression: $smb_trans2 at smb_pkt, the rule checks for the SMBv1 server component “SMB” with the command Trans2 Secondary (0×33), followed by the NT Status equal to Statuc_Success (0×00000000). This is an atomic early-exit signal, so we filter out all other SMB packets as early as possible.
What follows is the actual detection logic related to the vulnerability, where the data_displacement > total_data_count.
Take the pcap (eternalblue-success-unpatched-win7.pcap) as an example.
Running the above Yara-X rule through the linked pcap via PacketSmith and saving the result as an XML Workbook, we get the file yara_dte_2026_02_12_12_34_06.xml (use MS Excel to view it) with all the detections:
PacketSmith.exe -i eternalblue-success-unpatched-win7.pcap -D yara:xml -F frames: -O .
Conclusion
In conclusion, detecting EternalBlue exploitation requires a deep understanding of network protocols and the ability to analyze packet data effectively. By leveraging the capabilities of PacketSmith and Yara-X, security professionals can create custom rules to identify anomalies indicative of this exploit. The integration of these tools allows for precise detection by focusing on specific patterns and behaviours within network traffic, such as the SMBv1 protocol's data displacement issue.
Author: Mohamad Mokbel
First release: February 12, 2026