Back to Intelligence

MS17-010 & EternalBlue: A Defensive Retrospective on the WannaCry Ransomware Outbreak

SA
Security Arsenal Team
May 13, 2026
6 min read

Introduction

In May 2017, the cybersecurity landscape shifted irrevocably when the WannaCry ransomware cryptoworm began propagating across the globe. Exploiting a critical vulnerability in the Microsoft Server Message Block (SMB) protocol, the attack paralyzed healthcare systems, logistics networks, and government agencies. The incident was not merely a criminal extortion attempt; it was a demonstration of how weaponized exploits—leaked from nation-state stockpiles—could leverage unpatched legacy systems to cause infrastructure-wide disruption. For defenders today, WannaCry remains a stark case study in the importance of patch hygiene, network segmentation, and the aggressive retirement of obsolete protocols like SMBv1.

Technical Analysis

Affected Products, Versions, and Platforms: The primary vector for WannaCry was the Windows SMBv1 server. The vulnerability affected a wide range of operating systems, including Windows 7, Windows Server 2008 R2, and Windows 8.1. While Windows 10 and Server 2016 were technically vulnerable, their automatic update mechanisms and default configurations reduced the attack surface significantly compared to legacy endpoints.

CVE Identifiers and CVSS Scores: The root cause of the outbreak is CVE-2017-0144 (commonly known as "EternalBlue"), part of the security bulletin MS17-010. This vulnerability carries a CVSS score of 9.8 (Critical), allowing for unauthenticated, remote code execution (RCE) via specially crafted packets sent to port 445.

How the Vulnerability Works: EternalBlue exploits a buffer overflow vulnerability in the SMBv1 protocol. Specifically, it targets the way the srv!SrvOs2FeaListSizeToNt function handles malformed packets. By sending a crafted packet, an attacker can overflow a buffer in the kernel memory, allowing them to execute arbitrary code with SYSTEM-level privileges.

Attack Chain:

  1. Reconnaissance: The worm scans internal and external networks for TCP port 445 open.
  2. Exploitation: If a vulnerable SMBv1 port is found, the EternalBlue payload is delivered to execute a remote shell (DoublePulsar backdoor).
  3. Payload Execution: The backdoor downloads and executes tasksche.exe (the ransomware component) and @WanaDecryptor@.exe.
  4. Propagation: The malware uses the same SMB vulnerability or PsExec-like functionality to spread laterally to adjacent unpatched hosts, encrypting files and locking users out.

Exploitation Status: This vulnerability is extensively documented, with reliable public exploits available. It is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Active exploitation persists today in "zombie" networks targeting unpatched legacy servers, particularly in operational technology (OT) and healthcare environments.

Detection & Response

WannaCry has distinct behavioral and network signatures. The following detection rules and hunts are designed to identify either the presence of the malware or the conditions that allow it to propagate (unpatched SMBv1).

SIGMA Rules

YAML
---
title: Potential WannaCry Infection - tasksche.exe Execution
id: 3a2f2b3c-1d4e-5f6a-7b8c-9d0e1f2a3b4c
status: experimental
description: Detects the execution of tasksche.exe, a specific process name used by the WannaCry ransomware to establish persistence and perform encryption.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2024/05/12
tags:
  - attack.execution
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\tasksche.exe'
    ParentImage|endswith:
      - '\services.exe'
      - '\svchost.exe'
  condition: selection
falsepositives:
  - Legitimate tasksche.exe (unlikely, as this is not a standard Windows binary)
level: critical
---
title: SMBv1 Driver or Service Installation
id: 8b4c3d2e-1f5a-6e7d-8c9b-0a1e2f3d4c5b
status: experimental
description: Detects attempts to enable the legacy SMBv1 protocol (mrxsmb10.sys), which is required for the EternalBlue exploit to function.
references:
  - https://attack.mitre.org/techniques/T1543/
author: Security Arsenal
date: 2024/05/12
tags:
  - attack.persistence
  - attack.t1543.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi'
      - 'sc.exe config mrxsmb10 start= auto'
      - 'dism /online /enable-feature /featurename:SMB1Protocol'
  condition: selection
falsepositives:
  - Legitimate legacy application requirements requiring administrative intervention
level: medium
---
title: WannaCry Kill Switch Domain Check
id: 9d5e4f3a-2b6c-7d8e-0f1a-2b3c4d5e6f7a
status: experimental
description: Detects DNS queries for the WannaCry kill switch domain (iuqerfsodp9ifwaposijfhgurjfihdf.com). This indicates a compromised host attempting to check if it should propagate.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2024/05/12
tags:
  - attack.command_and_control
  - attack.t1071.004
logsource:
  category: dns_query
  product: windows
detection:
  selection:
    QueryName|contains:
      - 'iuqerfsodp9ifwaposijfhgurjfdf.com'
      - 'ifferfsodp9ifwaposijfhgurjfdf.com'
  condition: selection
falsepositives:
  - Security research (unlikely in production)
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for WannaCry indicators: Process creation and Network Connections
// Process: Look for tasksche.exe execution
let ProcessHunt = DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "tasksche.exe"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, FolderPath, SHA256;
// Network: Look for Kill Switch domain or SMB traffic to non-standard internal subnets
let NetworkHunt = DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "iuqerfsodp9ifwaposijfhgurjfihdf" 
   or (RemotePort == 445 and ActionType == "ConnectionSuccess")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, LocalPort, ActionType;
// Combine results
union ProcessHunt, NetworkHunt
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for WannaCry artifacts on endpoints
-- 1. Check for the ransomware note in common directories
-- 2. Check for the malicious tasksche.exe binary
-- 3. Check registry for SMB1 status (Vulnerable if enabled)

LET RansomwareNotes = SELECT FullPath FROM glob(globs='\\*\\@WanaDecryptor@.exe')
WHERE FullPath =~ '(C:\\Users\\.|C:\\Windows\\|C:\\ProgramData\\)';

LET MaliciousBinary = SELECT FullPath FROM glob(globs='\\*\\tasksche.exe')
WHERE FullPath =~ '(C:\\Windows\\|C:\\ProgramData\\)';

SELECT 
  RansomwareNotes.FullPath AS RansomFile,
  MaliciousBinary.FullPath AS SuspectBinary,
  read_reg_key(path="HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters", key="SMB1") AS SMB1_Enabled
FROM scope()
GROUP BY RansomFile, SuspectBinary, SMB1_Enabled

Remediation Script (PowerShell)

PowerShell
# Remediation Script for WannaCry / MS17-010
# 1. Disables SMBv1 (the protocol required for EternalBlue)
# 2. Stops the specific WannaCry services if they exist

Write-Host "Starting MS17-010 / WannaCry Hardening Script..." -ForegroundColor Cyan

# Disable SMBv1 Protocol (Server)
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
Write-Host "[+] SMBv1 Server Configuration disabled." -ForegroundColor Green

# Disable SMBv1 Protocol (Client Workstation)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" -Name "DependOnService" -Value @("Bowser","MRxSmb20","NSI")
Write-Host "[+] SMBv1 Client Configuration disabled." -ForegroundColor Green

# Stop and delete services created by WannaCry (tasksche.exe)
$svc = Get-Service -Name "mssmsq" -ErrorAction SilentlyContinue
if ($svc) {
    Stop-Service -Name "mssmsq" -Force
    sc.exe delete "mssmsq"
    Write-Host "[+] Removed WannaCry persistence service 'mssmsq'." -ForegroundColor Green
}

Write-Host "Remediation complete. Please verify MS17-010 is installed via Windows Update." -ForegroundColor Cyan

Remediation

To neutralize the threat posed by WannaCry and similar SMB-based worms, organizations must adopt a defense-in-depth approach:

  1. Patch Management: Ensure MS17-010 is deployed across all endpoints. For End-of-Life (EOL) systems like Windows XP or Server 2003, utilize the "Emergency Security Patches" released by Microsoft in 2017, or aggressively isolate these systems.
  2. Protocol Hardening: Disable SMBv1 across the entire environment. It is a deprecated protocol with high security risks. Use the PowerShell script provided above or Group Policy to enforce this setting.
  3. Network Segmentation: Block TCP port 445 at the network perimeter firewall. It should never be exposed to the internet. Internally, segment critical networks to restrict SMB lateral movement between Trust Zones.
  4. Vendor Advisory: Review the official Microsoft Security Bulletin MS17-010 for specific patch details applicable to your operating system versions.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirwannacryms17-010eternalblue

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action