MS15-002 Detection

MS15-002 was one of the more interesting patches this month. As such, we spent quite a bit of time on it. But alas, it appears as though a pretty thorough analysis has already been posted at WooYun (http://drops.wooyun.org/papers/4621) which mostly aligns with our analysis of the issue. We believe this issue to be difficult to exploit but pretty easy to detect. Our (ugly) internal detection script can be grabbed from here for anyone who might find it useful: http://pastebin.com/aTxca42w Please note that this script IS NOT SAFE and running it against a target multiple times will exhaust the telnet server's maximum connections (as defined in Software\Microsoft\TelnetServer\1.0\MaxConnections) and require restarting the telnet service.

Scott Lang

Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

You May Also Be Interested In:

Understand & Meet the EU GDPR Requirements

EMEIA: Endpoint Security for Desktops: Your guide to least privilege success on Windows & Mac devices

EMEIA: Endpoint Privilege Management for Server Security: Your guide to least privilege success on Windows and Unix/Linux Servers

Universal Privilege Management

Learn

Attend

Support