Why v2.29 goes deeper on the tactics attackers still use every day 

If you want to understand how breaches are happening in 2025, don’t look at zero-days, look at decade-old exploits.  

EternalBlue, SMBv1, Zerologon, or DoublePulsar aren’t historical footnotes, they continue to play a role in breaches of legacy and poorly secured networks. 

While the industry focuses on novelty, attackers keep recycling what works. Misconfigured protocols, legacy access paths, credential abuse, and domain takeovers through known but poorly detected techniques. 

With v2.29, we are not closing gaps, we’re going deeper. This release continues our approach of expanding precision high-fidelity detections for the techniques adversaries still depend on. These are not signature updates. They are behavioral, protocol-aware detections built for real-world environments. 

Dave Schneider
Dave SchneiderVP of Marketing

Why these tactics still work

These are not hypothetical threats. They are active exploitation methods observed across real incidents in 2025. 

  • DCSync abuse remains a go-to for post-compromise credential theft. A 2025 report by Mandiant still cites DCSync as being used for credential dumping in nearly 1% of all investigated intrusions. 
  • EternalBlue, EternalChampion, EternalSynergy still fuel initial access and lateral movement. According to Trustwave’s mid2025 risk report, more than 20,000 hosts were still running unsupported Windows OS versions. Ransomware groups exploited these exposures to spread, particularly in manufacturing and embedded device environments. 
  • Zerologon (CVE-2020-1472) remains in the adversary playbook. Microsoft reports that over 78% of human-operated intrusions in 2025 included compromise of a domain controller. A prime example of this is the recent RansomHub ransomware incident. 

These techniques are not academic. They are still working today. 

What’s new in v2.29 

This release delivers additional targeted detection logic designed to surface stealthy techniques, lateral movement, and post-exploitation activity that most systems overlook. 

Credential and Domain Abuse 

  • DCSync detection through monitoring of unauthorized DRSGetNCChanges requests over the MS-DRSR protocol via RPC, typically transmitted over TCP ports 135 and 445. 
  • Zerologon detection by identifying high-volume Netlogon requests and anomalous machine account password resets 

Insecure Legacy 

  • Identification of cleartext traffic over insecure legacy protocols such as SMBv1, Telnet, FTP, etc. 
  • Detection of credentials exposed in cleartext during authentication exchanges or protocol handshakes. 

Nation-State Exploit Patterns 

  • EternalBlue, EternalSynergy, and EternalChampion exploits identified through malformed SMB headers, opcode sequences, and rare command usage 
  • DoublePulsar implant behavior flagged via MID value anomalies and replay patterns typical of post-exploitation implants 

Protocol Violation Detection 

  • Detection of uncommon or deprecated SMBv1 commands such as TRANSACTION2 abuse, NT_RENAME, and undefined operations 
  • Analysis of malformed packet structures and sequence timing patterns used in exploit kits 
  • These detections are built for practitioners. They are informed by protocol-level analysis, exploit behavior, and real attacker techniques seen in the field. 

 

Read the Release 

This release is part of a larger mission to expose the paths attackers count on being ignored. These are not historic exploits, they are the current playbook. 

Read the full release notes for v2.29 here