CVE-ETERNALBLUEInitial Access

EternalBlue (MS17-010 / CVE-2017-0144)

SMBv1 pre-auth heap overflow — WannaCry / NotPetya propagation engine; still works on unpatched legacy networks.

§ Where this technique fits

CVE-ETERNALBLUE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.

§ Dossiers chaining this technique

EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
step 2 / 5
Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
step 5 / 6

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×
02
Data Destruction
T1485 · Impact
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

EternalBlue (MS17-010) → SMBv1 wormable spread

Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

§ What commonly comes next