T1059 Command and Scripting Interpreter

This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.

This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.

This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.

This diagnostic statement protects against Command and Scripting Interpreter through the use of privileged account management and the use of multi-factor authentication.

This diagnostic statement protects against Command and Scripting Interpreter through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.

Antivirus/Antimalware software can be utilized to detect and quarantine files that have been embedded with malicious commands or scripts.

This diagnostic statement provides protection from Command and Scripting Interpreter through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining along with disallowing scripts and integrity checking can help protect against adversaries that may abuse command and script interpreters.

Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

This diagnostic statement prevents adversaries from abusing commands, scripts, or binaries by blocking the execution of scripts and malicious code that pop up via adblockers and ads.

This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.

This diagnostic statement protects against Command and Scripting Interpreter through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.

This diagnostic statement protects against Command and Scripting Interpreter through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.

This vulnerability is exploited by sending a crafted XML document that references external entities with the likely goal of accessing local data.

CVE-2019-13608 is a an XML External Entity (XXE) processing vulnerability that may allow an unauthenticated attacker to retrieve potentially sensitive information.

CVE-2024-4671 is a use-after-free vulnerability where an adversary can perform a sandbox escape via a maliciously-crafted HTML page.

This vulnerability is exploited through an authentication bypass weakness in the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure. Remote attackers leverage this vulnerability to perform remote arbitrary code execution on the Pulse Connect Secure gateway by bypassing authentication controls. The threat actor group UNC2630 has utilized this flaw to harvest login credentials, allowing them to move laterally within affected environments.

Exploitation of this vulnerability would allow for an attacker to use client-side software (in this case, Chrome), to execute code on the system.

The use-after-free vulnerability present in various Apple device versions (that have since been patched out) allows for a malicious application to escalate its priviliges within the system.

This use-after-free vulnerability in Windows has been exploited by attackers to gain SYSTEM-level privileges, leading to remote code execution, full system compromise, the modification of system processes to establish persistence on the machine, and the deployment of malware such as credential harvesters and ransomware.

This zero-day vulnerability has been exploited by attackers to gain SYSTEM-level privileges in Windows, leading to remote code execution, as well as the ability to disable security tools, deploy malicious payloads, and extract credentials from memory.

This vulnerability is exploited when a remote unauthorized user sends a malicious payload to a server using an insecure version of Ignition. The payload targets the MakeViewVariableOptionalSolution.php module, leveraging insecure PHP functions file_get_contents and file_put_contents to specify a file path for executing arbitrary code.

This vulnerability is exploited through multiple unrestricted uploads. Adversaries with authenticated administrator privileges leverage this vulnerability to perform unauthorized file writes on the system via a maliciously crafted archive upload within the administrator web interface in Pulse Connect Secure.

This vulnerability is exploited by an adversary who can access the vCenter Server over the network. The adversary uploads a crafted file to the server's analytics service via port 443, exploiting the file upload vulnerability. This results in remote code execution on the host. Threat actors have been observed leveraging this vulnerability, identified as CVE-2021-22005, using code released by security researcher Jang, to gain unauthorized access to vCenter servers.

Advantive VeraCore versions prior to 2024.4.2.1 contain an unrestricted file upload flaw that can lead to remote code execution and full system compromise. This attack requires valid credentials for VeraCore.

Attackers have exploited this SAP vulnerability to achieve remote code execution on the target system by sending malicious ZIP files to specific server endpoints. This can be done either through use of a single command or by uploading a web shell.

CVE-2024-4947 is a type confusion vulnerability in Chrome's V8 JavaScript engine. Adversaries have been observed exploiting this vulnerability by hosting a web-based game on a site that triggered the vulnerability and executed arbitrary code. Adversaries promoted the game on social media and through emails.

Victims are tricked into visiting malicious web pages crafted to trigger memory corruption, which can lead to arbitrary code execution.

This vulnerability has enabled attackers to use heap spraying techniques to trigger a memory corruption, allowing them to execute code remotely.

This is an SQL injection vulnerability that can be exploited to execute remote code via specially crafted HTTP requests. Adversaries have been observed using this exploit to deploy tools on the target machine.

CVE-2023-34362 is a SQL injection vulnerability in a public-facing application. Adversaries have been observed to exploit this vulnerability to install malicious software on a target system, enabling them to discover system settings and information, enumerate the underlying SQL database, retrieve files, create administrator accounts, and delete accounts.

CVE-2021-42258 is a SQL injection vulnerability in BillQuick Web Suite that allows attackers to execute arbitrary SQL commands on the database server

CVE-2021-27101 is a SQL injection vulnerability in Accellion File Transfer Appliance that allows an adversary to execute SQL commands.

Due to an improper sanitization flaw in the web-based CyberRoam WebAdmin administrative panel, an attacker with network access can use SQL injection to execute commands remotely.

A CSRF vulnerability in PaperCut NG/MF can be exploited by an attacker targeting an admin with a current login session and tricking the admin into clicking a link. This exploit can lead to security setting modification and arbitrary code execution.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

Attackers can send a specially crafted email that uses the file:// protocol to reference a server that they own, ending the file:// link with an exclamation mark to bypass Outlook's security features, leading to remote code execution.

This vulnerability is exploited by an authenticated, local attacker in order to execute arbitrary code with root-level privileges by copying a crafted file to the disk0: file system. This is possible due to improper validation of a file when it is read from system flash memory. This vulnerability is associated with an attack campaign named ArcaneDoor in early 2024. This campaign targeted this vulnerability among others to implant malware, execute commands, and potentially exfiltrate data from compromised devices.

This vulnerability is exploited by an adversary that has gained local access to the victim system. If successfully exploited, the adversary would gain full SYSTEM level privileges. This CVE has been leveraged in the wild by Storm-0506 involved deploying Black Basta ransomware, initiated through a Qakbot infection and exploiting a Windows vulnerability (CVE-2023-28252) to gain elevated privileges. The attackers used tools like Cobalt Strike and Pypykatz for credential theft and lateral movement, eventually creating an "ESX Admins" group to encrypt the ESXi file system and disrupt hosted VMs. Based on the described exploitation of CVE-2023-28252 and the associated attack activities, the following MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) could be linked to this CVE:

This vulnerability is exploited by an attacker who has obtained local access with low privileges on the target system. The vulnerability lies in the Cryptography API: Next Generation (CNG) Key Isolation Service, specifically due to a memory overflow issue. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary commands with SYSTEM privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild. It involves exploiting the memory overflow in the CNG Key Isolation Service to gain SYSTEM-level access. Once the vulnerability is exploited, attackers can manipulate system processes and access sensitive information stored in the service, such as cryptographic keys. This allows them to achieve their objectives, such as executing code with elevated privileges and compromising the security of the affected system.

This vulnerability is exploited by an attacker who has obtained access to the target system. The vulnerability lies in the Windows Common Log File System (CLFS) Driver, specifically due to improper bounds checking on the `cbSymbolZone` field in the Base Record Header for the base log file (BLF). This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system commands, allowing them to manipulate system processes and potentially deploy additional malware or perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves setting the `cbSymbolZone` field to an invalid offset, triggering an out-of-bound write that corrupts a pointer to the CClfsContainer object. Once the vulnerability is exploited, attackers can manipulate memory to perform arbitrary actions with SYSTEM-level privileges. This allows them to achieve their objectives, such as disabling security applications and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has already obtained access to a target system to execute code. The vulnerability lies in the Common Log File System (CLFS) driver, specifically in the `CClfsBaseFilePersisted::LoadContainerQ()` function, due to a logic bug in handling container context objects. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary code with system-level privileges, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in ransomware campaigns. It involves corrupting the `pContainer` field of a container context object with a user-mode address by using malformed BLF files. Once the vulnerability is exploited, attackers can manipulate memory to execute code with elevated privileges. This allows them to achieve their objectives, such as stealing the System token and gaining full control over the compromised system.

This vulnerability is exploited by an attacker who has obtained local access tothe target system. The vulnerability lies in the Client Server Run-Time Subsystem (CSRSS) on Windows, specifically in the activation context caching mechanism, due to improper handling of crafted assembly manifests. This vulnerability has been exploited by threat actors to gain elevated privileges on Windows systems. Attackers leveraged this flaw to execute arbitrary system-level commands, allowing them to manipulate system processes and deploy additional malware to perform further malicious activities. The exploit in question is actively being used in the wild, primarily in targeted attacks. It involves creating a malicious activation context by providing a crafted assembly manifest, which is cached and used the next time the process spawns. Once the vulnerability is exploited, attackers can load a malicious DLL to achieve system-level code execution. This allows them to achieve their objectives, such as executing arbitrary code with elevated privileges, with the same permissions as the compromised system's user.

This vulnerability is exploited by an adversary who already has access to the victim system. This vulnerability, also known as SpoolFool, is a local privilege escalation vulnerability in the Windows Print Spooler service, which manages print operations on Windows systems. This vulnerability allows attackers to execute code with SYSTEM-level privileges by exploiting the `SpoolDirectory` configuration setting. The `SpoolDirectory` is writable by all users and can be manipulated using the `SetPrinterDataEx()` function, provided the attacker has `PRINTER_ACCESS_ADMINISTER` permissions. The exploit involves creating a directory junction and using a Universal Naming Convention (UNC) path to write a malicious DLL to a privileged directory, such as `C:\Windows\System32\spool\drivers\x64\4`. This DLL is then loaded and executed by the Print Spooler service, granting the attacker elevated privileges. This method circumvents previous security checks designed to prevent privilege escalation through the Print Spooler. The vulnerability has been exploited in the wild, with attackers using tools like the SpoolFool proof of concept (PoC) published on GitHub. One observed attack involved creating a local administrator account with a default password, indicating the potential for significant system compromise. The Gelsemium APT group has been linked to activity exploiting this vulnerability, highlighting its use in advanced persistent threat campaigns.

Brocade Fabric OS versions 9.1.0 through 9.1.1d6 contain an improper IP validation flaw that allows a user with valid administrative access to escalate their privileges further, allowing for root-level code execution.

No public proof-of-concept for this exploit exists, but an attacker with existing administrative privileges can exploit this vulnerability can execute arbitrary commands at a higher privilege level.

This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges.

CVE-2020-8515 is a command injection vulnerability affecting certain DrayTek devices, This vulnerability allows an attacker to make arbitrary commands on the affected devices without authentication. Successful exploitation has been reported leading to resource hijacking for botnet use.

The Yii2 PHP framework, prior to version 2.0.52, contains an improper validation flaw that allows an attacker to input arbitrary PHP classes to a JSON file, which will then be instantiated and executed. This can lead to remote code execution and server-side request forgery, among other potential impacts.

Insufficient authorization checks in affected Apache OFBiz versions (before 18.12.16) allow an attacker running their own server to send POST requests that instruct the OFBiz server to fetch malicious files from the attacker's server. The attacker can then send another request that triggers the malicious files to run arbitrary code.

Improper escaping in Apache HTTP Server versions 2.4.59 and before permits code execution or disclosure of source code, as well as session hijacking and a potential full system compromise. An attacker can use a crafted URL to perform a traversal attack to trick the Apache server into reading sensitive files.

This information disclosure vulnerability allows an attacker to gain access to ObjRef URI, which can be leveraged to facilitate remote code execution and privilege escalation.

This vulnerability stems from improper HTTP header validation, if exploited, allows for remote code execution on affected devices.

An attacker with local access can exploit a DLL sideloading vulnerability by tricking mDNSResponder.exe into loading a malicious DLL, facilitating arbitrary code execution.

While public technical details of this exploit are limited, including the techniques used, it is known that authenticated, low-privileged attackers were able to achieve remote code execution and web shell deployment.

This vulnerability allows an attacker to write arbitrary files to a known location on the target server, including potentially malicious files such as PHP scripts by leveraging the fact that Craft CMS creates session files for unauthenticated users at the login page. However, this vulnerability does not, by itself, cause any scripts to be executed or any information to be accessed, so it can only write files and would need to be chained with another vulnerability in order to achieve code execution.

By manipulating the working directory of Windows processes, attackers can utilize these valid processes and trick them into running arbitrary code from a WebDAV server. This has been done by using a phishing email with a malicious PDF document attached, leading to code execution, the creation of backdoors, the introduction of a keylogger onto the system, and data exfiltration via C2.

CVE-2020-0688 exists in Microsoft Office, which is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code if unpatched, in the context of the current user, by failing to properly handle objects in memory. Cyber actors continued to exploit this vulnerability in Microsoft Office. The vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.

A strategic zero-click iMessage exploit chain (CVE-2025-31200 / 31201) has been reported as compromising targeted devices with Paragon's Graphite spyware. Observed impacts include Secure Enclave key exfiltration, silent wallet theft, C2 infrastructure, and persistent C2 communication.

An attacker can trick users into executing malicious code by mounting images or drives. This code exploits vulnerabilities in the Windows Fast FAT File System Driver.

This vulnerability is a zero-day exploit that "manipulates the Windows file werkernel.sys, which uses a null security descriptor when creating registry keys. Attackers create a registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe and set the "Debugger" value to the exploit's executable pathname. This allows the exploit to start a shell with administrative privileges." This vulnerability has been exploited by the Black Basta ransomware group.

CVE-2020-0787 is a privilege elevation vulnerability in the Windows Background Intelligent Transfer Service (BITS). An actor can exploit this vulnerability if it improperly handles symbolic links to execute arbitrary code with system-level privileges.

CVE-2024-4577 is a PHP argument injection vulnerability that allows an adversary to execute arbitrary php commands. Threat actors have been observed utilizing Cobalt Strike and the TaoWu toolkit for post-exploitation activities, such as conducting reconnaisance, establishing persistence, escalating privileges to SYSTEM level, and harvesting credentials.

This vulnerability is exploited through a command injection weakness in the web components of Ivanti Connect Secure and Ivanti Policy Secure. Attackers leverage this vulnerability to achieve remote code execution by sending specially crafted requests to vulnerable instances, potentially without requiring authentication when combined with other vulnerabilities. This manipulation allows attackers to execute arbitrary commands on the appliance, potentially enabling further exploitation and system compromise. Threat actors have been reported as likely targeting credentials and the deployment of web shells to provide future access.

This vulnerability is exploited by an attacker who has access to administrator credentials. The adversary leverages these credentials to execute arbitrary commands using root privileges.

This vulnerability is exploited by a remote, unauthenticated actor to gain remote code execution via a command injection attack. This vulnerability has been exploited in the wild; however, technical details have not been publicly shared.

This vulnerability is exploited through improper privilege escalation in the Web User Interface feature of Cisco IOS XE software. Attackers first used this vulnerability to elevate privileges from a normal user to root by leveraging a newly created local user account. This allowed them to write malicious implants that enable them to execute arbitrary commands to the file system This CVE was exploited after the adversary exploited CVE-2023-20198.

This vulnerability allows remote attackers with read permissions to a public or private Bitbucket repositories to execute arbitrary code by sending a malicious HTTP request.

CVE-2022-29303 is a command injection vulnerability within a PHP component in the product's web server. Reports indicate that the vulnerability have been exploited by operators of Mirai botnet malware.

CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance in that allows an adversary to execute commands by sending a specially crafted POST request to the product's administrative endpoint.

CVE-2021-27102 is an operating system command execution vulnerability in Accellion File Transfer Appliance that allows an adversary to execute arbitrary commands via a local web service call.

CVE-2021-1498 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Data Platform. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device

CVE-2021-1497 is a critical vulnerability in the web-based management interface of Cisco HyperFlex HX Installer Virtual Machine. This vulnerability allows an unauthenticated, remote attacker to perform a command injection attack against an affected device

CVE-2020-25506 is a command injection vulnerability in the D-Link DNS-320 FW v2.06B01 Revision Ax system_mgr.cgi component, which can lead to remote arbitrary code execution.

This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.

This vulnerability, present in the API in Cisco ISE and Cisco ISE-PIC, allows for an attacker to use maliciously crafted API requests to a vulnerable device. If exploited, the attacker can gain the ability to execute arbitrary code at the root level.

End-of-life GeoVision IoT devices contain improper input filtering, allowing for commands to be injected into the szSrvIpAddr parameter of the /DateSetting.cgi endpoint. Exploiting this vulnerability can allow remote code execution on the system.

Due to improper handling of user input, an attacker can insert shell metacharacters into specific parameters, permitting the execution of arbitrary commands.

Improper input sanitization in the Mitel 6869i SIP Phone, firmware version 6.3.0.1020 can be exploited to obtain root access on the device and execute arbitrary code.

An unauthenticated, remote attacker can exploit this vulnerability to escalate privileges and execute arbitrary code with root access.

End-of-life TP-Link routers contain an improper input sanitization flaw that attackers can exploit by sending specially crafted HTTP GET requests to the web interface, leading to privilege escalation and arbitrary code execution.

While this vulnerability was originally considered a denial-of-service issue in 2021, this improper neutralization issue has been exploited in 2025 as a remote code execution vulnerability. After authenticating (either with default credentials or via brute force, password stuffing, or dictionary attacks), an attacker can execute arbitrary commands as a "nobody" user.

This vulnerability is exploited by a remote attacker who leverages a command injection flaw in Apache RocketMQ versions 5.1 and lower. By using the update configuration function, the adversary can execute commands as the system user under which RocketMQ is running. This lack of permission verification in components like NameServer, Broker, and Controller, which are exposed on the extranet, allows for remote command execution. Additionally, attackers can forge RocketMQ protocol content to achieve the same effect. Since at least June 2023, threat actors have actively exploited this vulnerability to gain initial access and deploy the DreamBus botnet, a Linux-based malware.

CVE 2021-42237related to a remote code execution vulnerability through insecure deserialization.

This vulnerability is exploited through a buffer overflow weakness. Remote authenticated attackers leverage this vulnerability to perform arbitrary code execution with root privileges on the Pulse Connect Secure gateway by manipulating input buffers.

CVE-2020-29557 is a buffer overflow vulnerability in the web interface allows attackers to achieve pre-authentication remote code execution. Unidentified threat actors are reported to have been actively exploiting it to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure.

CVE-2018-6789 is a vulnerability in Exim, an open-source mail transfer agent. This vulnerability, identified as an off-by-one buffer overflow, allows attackers to execute arbitrary code remotely by sending specially crafted messages to the SMTP listener.

This vulnerability is exploited by the user opening a malicious pdf file to achieve arbitrary code execution.

Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways products running old versions are susceptible to a stack-based buffer overflow exploit that can lead to remote code execution. The patched versions of each product that remove this vulnerability are as follows: Ivanti Connect Secure (22.7R2.6), Pulse Connect Secure (22.7R2.6), Ivanti Policy Secure (22.7R1.4), and ZTA Gateways (22.8R2.2).

An unprivileged attacker can leverage this buffer overflow vulnerability, leading to a denial of service attack, and potentially remote code execution. No public exploits of this vulnerability exist, and information from Citrix is limited.

This stack-based buffer overflow vulnerability in Active! mail allows an unauthenticated attacker to achieve remote code execution, as well as execute a denial of service attack by crashing the server.

Attackers use a Python script (publicly available or custom) to send a malformed POST request, triggering a buffer overflow. From there, they execute remote code and malicious payloads (i.e. malware), harvest credentials, move laterally over the network, erase logs to avoid detection, and exfiltrate data over C2.

Attackers have exploited this heap-based buffer overflow vulnerability to escalate their privileges to SYSTEM-level, allowing them to execute arbitrary code, disable security tools, deploy malicious payloads, and extract credentials from memory.

This vulnerability is exploited by a remote attacker by passing unvalidated input from a file into a string-type "eval". Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic. After successful exploitation, the attacker gains the ability to perform remote code execution. This vulnerability has been targeted by Chinese hackers who exploited the vulnerability in Spreadsheet::ParseExcel to compromise appliances. In collaboration with cybersecurity firm Mandiant, Barracuda assesses that the threat actor behind the attacks is UNC4841, who leveraged the flaw to deploy ‘SeaSpy’ and ‘Saltwater’ malware.

This vulnerability is exploited by a remote attacker who has obtained administrative console access on the target system. Successful exploitation of the flaw could allow an attacker to manipulate the component to execute arbitrary commands on an affected installation. This vulnerability has been exploited in the wild.

This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs. The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.

This vulnerability is exploited by a remote, unauthenticated attacker. The vulnerability is caused by improper escaping of HTML tags in Swing components. This flaw allows the attacker to inject crafted HTML code, enabling them to execute code within the Cobalt Strike UI. Exploitation can occur through a graphical file explorer menu, allowing attackers to perform unauthorized operations on the administrative interface.

This vulnerability is exploited by a remote, unauthenticated attacker via /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2, which allows PHP code injection. in the wild exploitation details have not been publicly released for this vulnerability

CVE-2022-35405 is an unauthenticated remote code execution vulnerability as a result of deserialization.

This vulnerability is exploited when a user is tricked by an adversary to open a maliciously crafted file. Once the user opens the file, an adversary gains the ability to execute arbitrary code the next time the victim restarts their computer and logs in.

This vulnerability is exploited by a remote, unauthenticated attacker to access internal API functions and send malicious code to the Veeam Distribution Service via the default TCP port 9380. This vulnerability has been exploited by threat actors associated with the AvosLocker ransomware. Kroll analysts have observed these actors using this vulnerability, alongside CVE-2022-26500, to potentially exfiltrate data and download malicious tools while appearing as legitimate activity to evade detection.

This vulnerability is exploited by a remote, authenticated users access to internal API functions that allows attackers to upload and execute arbitrary code. This vulnerability has been exploited by threat actors associated with AvosLocker ransomware, as identified by Kroll analysts. These actors have developed new tactics targeting backup systems, specifically leveraging vulnerabilities in Veeam Backup and Replication software (CVE-2022-26500 and CVE-2022-26501) to potentially exfiltrate data while evading detection.

This remote command execution vulnerability is exploited by an adversary via HTTP POST to get set ccp. The exploit targets a command injection vulnerability in the /lan.asp component. The component does not successfully sanitize the value of the HTTP parameter DeviceName, which in turn can lead to arbitrary command execution. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called MooBot to cause a distributed denial of service attack.

This remote code execution (RCE) vulnerability affects Spring MVC or Spring WebFlux applications running on JDK 9+ when deployed on Tomcat as a WAR file. This vulnerability can be exploited by a remote attacker via data binding, allowing malicious actors to execute arbitrary code. Specifically, it has been used to deploy and execute the Mirai botnet malware. The exploit involves downloading a Mirai sample to the "/tmp" directory and changing its permissions to make it executable using "chmod." The malware is then executed, enabling further malicious activities. The vulnerability does not affect applications deployed as Spring Boot executable jars. Observations of this exploit began in early April 2022, with malware variants available for different CPU architectures.

This vulnerability is exploited when an authenticated user is convinced by an attacker to download and open a specially crafted file from a website, which grants the attacker access to the victim's computer. No articles have been released to the public showing that this vulnerability has been executed in the wild or provides any information on how an exploitation is carried out.

This remote command execution vulnerability is exploited by an unauthenticated, remote adversary via the DDNS function in ncc2 binary file. Adversaries have leveraged this vulnerability to spread a variant of Mirai botnet called Beastmode and IZ1H9 to cause a distributed denial of service attack. In the IZ1H9 attack, once the attackers took advantage of the vulnerability, they injected the IZ1H9 payload into the device. This program included instructions to download another script from a specific web address. When this script ran, it erased records to cover up the malicious actions and then downloaded additional software designed for different types of devices. The script also changed the device's settings to block certain network connections, making it more difficult to remove the malware. After these steps, the infected device connected to a control server, waiting for instructions on which type of denial-of-service attack to carry out, such as disrupting services using various internet protocols. In the Beastmode attack, exploiting the vulnerability led to the download and execution of a script called "ddns.sh." This script then fetched the Beastmode program, which was saved and run with specific settings. These settings allowed the infected device to join a subgroup within the larger botnet, helping the attackers manage and assess the effectiveness of their exploits. Once devices were compromised by Beastmode, the botnet could be used to launch various types of denial-of-service attacks, similar to those seen in other Mirai-based botnets.

This vulnerability is exploited by an adversary who has gained authentication to the Exchange Server and exploited validation issues in command-let arguments. This gives the adversary access to perform remote code execution on the server.

CVE-2021-35464, a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises.

The vulnerability in Realtek Jungle chipsets is exploited by remote, unauthenticated attackers using UDP packets to a server on port 9034, enabling remote execution of arbitrary commands. The attack involves injecting a shell command that downloads and executes a shell script on the compromised device. This script downloads binaries for various CPU architectures, such as ARM, MIPS, and SuperH, primarily from the Mirai malware family, turning the device into a botnet node. The attack script connects to a malicious IP to download and execute malware, with threats mainly from Mirai, Gafgyt, and Mozi families. It also includes a new DDoS botnet called RedGoBot, developed in Golang. The script uses wget and curl to download botnet clients for different processor architectures. RedGoBot can perform DDoS attacks on various protocols, including HTTP, ICMP, TCP, UDP, VSE, and OpenVPN, upon receiving commands from the threat operator. Additionally, injected commands can write binary payloads to files for execution or reboot the targeted server to cause denial of service.

This memory corruption vulnerability is exploited by a remote, unauthenticated attacker via crafted HTTP packets to a server that uses http.sys to process packets. Adversaries may leverage this vulnerability to execute malicious code on the OS kernel. This vulnerability has a proof of concept validating that it can be wormable. However, exploitations in the wild linking to this type of impact have not been published. The North Korean state-backed hacker group known as the Lazarus Group has been attributed to leveraging this vulnerability in their attacks to gain initial access to Windows IIS servers. Once initial access is gained, they have exploited the vulnerable system to perform data theft, disrupt services, propagate malware, or conduct espionage or surveillance. **team review - AttackerKB links Command and Scripting to this vulnerability, but I have not found any threat reports linking this impact to an actual attack. The only "in the wild" report I found was by SecureBlink linking it to the Lazarus Group to gain initial access. Unsure what primary impact we can link to here.

CVE-2021-22986 is a remote command execution vulnerability occurring on the iControl REST interface. Impact reported by the F5 security advisory "This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control plane and cannot be exploited through the data plane. Exploitation can lead to complete system compromise. "

CVE-2021-22205 is a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability was reported to be actively exploited for o assemble botnets and launch gigantic distributed denial of service (DDoS) attacks.

The vulnerability is exploited by a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to improper input validation when parsing DjVu files in ExifTool. A remote attacker can pass a specially crafted file to the application and execute arbitrary code on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

CVE-2021-21972 is a RCE vulnerability affecting VMware vCenter servers. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

CVE-2020-5902—an RCE vulnerability in the BIG-IP Traffic Management User Interface (TMUI)—to take control of victim systems. On June 30, F5 disclosed CVE-2020-5902, stating that it allows attackers to, “execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code.” - CISA Advisory

CVE-2020-17530 is a remote code execution vulnerability in Apache Struts versions 2.0.0 - 2.5.25 allows an attacker to execute code via forced Object Graph Navigational Language (OGNL).

CVE-2020-15505 is an RCE vulnerability in MobileIron Core & Connector that allows an external attacker, with no privileges, to execute code of their choice on the vulnerable system. As mobile device management (MDM) systems are critical to configuration management for external devices, they are usually highly permissioned and make a valuable target for threat actors. Multiple APTs have been observed exploiting this vulnerability to gain unauthorized access.

CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).

CVE-2019-17558 is a vulnerability in Apache Solr that allows for Remote Code Execution (RCE) through the VelocityResponseWriter.

Vulnerability in Citrix Receiver for Windows may allows attacker to gain read/write access to the client's local drives, potentially enabling code execution on the client device, such as deploying ransomware

CVE-2019-11580 is a critical vulnerability affecting Atlassian Crowd and Crowd Data Center that allows attackers remote code execution to send specially crafted requests to install malicious plugins on vulnerable Crowd instances.

CVE-2018-7602 is a remote code execution (RCE) vulnerability affecting Drupal’s versions 7 and 8. According to reports, successfully exploiting the vulnerability entails elevating the permission to modify or delete the content of a Drupal-run site and crypto-jacking campaigns.

CVE-2018-11776 is a remote code execution vulnerability in the Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers when alwaysSelectFullNamespace is true and then results are used with no namespace.

CVE-2017-9822 is a vulnerability allows an attacker to exploit cookie deserialization, leading to remote code execution (RCE). It has been noted for its potential impact on various web applications

CVE-2017-6742 is a Simple Network Management Protocol (SNMP) vulnerability in Cisco products related to a buffer overflow condition in the SNMP subsystem. Reported by the NCSC, threat actors exploited CVE-2017-6742 to perform reconnaissance, enumerate router interfaces and deploy custom malware known as "Jaguar Tooth", as detailed in the NCSC’s Jaguar Tooth malware analysis report. This malware obtains further device information which is then exfiltrated over trivial file transfer protocol (TFTP) and enables unauthenticated access via a backdoor.

CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.

CVE-2016-4437 is a code execution vulnerability in Apache Shiro that allows remote attackers to execute code or bypass access restrictions via an unspecified request parameter when a cipher key has not been configured for the "remember me" feature.

Cisco Small Business Router models RV016, RV042, RV042G, RV082, RV320, and RV325 perform improper validation of HTTP packet user input. An authenticated attacker can craft these requests and send them, leading to arbitrary command execution.

CVE-2024-5217 is an input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the ServiceNow Platform due to incomplete input validation in a GlideExpression Script. Organizations often use the ServiceNow platform to host sensitive data about their employees, including their personally identifiable information and HR records related to their employment.

CVE-2024-4879 is a Template Injection Vulnerability in ServiceNow UI Macros. When ServiceNow instances are installed public-facing instead of internally, they can be exploited for arbitrary code execution. Adversaries have been observed selling data exfiltrated through this exploit.

CVE-2023-2868 in the Barracuda Email Security Gateway (ESG) had been reportedly exploited for espionage and exfiltration efforts by UNC4841 attributed by Mandiant. Following the exploitation of CVE-2023-2868, malware SALTWATER, SEASPY, and SEASIDE were identified to be used in intrusions.

An attacker can craft a message in Lua that injects a null byte, allowing admin access to Wing FTP sessions.

CVE-2024-4761 is an out of bounds write vulnerability that allows a remote attacker to perform an out of bounds memory write via a crafted HTML page.

This vulnerability is exploited by an authenticated, remote attacker who has administrative control of either a group member or a key server to execute arbitrary code on an affected device or cause the device to crash. This vulnerability has been identified as being exploited in the wild by Chinese adversary groups.

An out-of-bounds zero-day flaw exists in WebKit that adversaries have been exploiting via specially crafted web content to escape the Web Content sandbox.

Using a malicious USB device, an attacker can trigger an out-of-bounds write in the kernel, allowing the attacker to obtain root access and potentiall execute arbitrary code.

By creating or modifying a USB video device, an attacker can send an undefined video frame to trigger an out-of-bounds write, leading to privilege escalation and potential arbitrary code execution.

This authentication bypass vulnerability is exploited by an unauthenticated, remote adversary via an alternative path issue in the web component allowing attackers to perform admin actions and achieve remote code execution. To exploit this vulnerability, attackers need to generate an unauthenticated 404 HTTP response, pass the HTTP query string “?jsp=/app/rest/server”, and append “;.jsp” to the HTTP path parameter.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer.

This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

Due to a regex flaw, an attacker can use non-canonical URLs to bypass authentication. When chained with CVE-2022-43769, can lead to unauthorized code execution.

By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.

This vulnerability in CrushFTP has been exploited to give attackers control how the software handles authentication, allowing access to the administrative account. From there, attackers have the ability to read and upload files, execute arbitrary code, create backdoors in the form of new administrative accounts, and conduct a full system takeover.

CVE-2023-27350 allows an unauthenticated actor to execute malicious code remotely without credentials. Threat actors have been observed exploiting this software through its print scripting interface and installed command and control software on target machines.

This vulnerability is exploited through improper input validation in Atlassian Confluence, allowing remote attackers to translate arbitrary HTTP parameters into getter/setter sequences via the XWorks2 middleware. This vulnerability enables the creation of unauthorized Confluence administrator accounts and the upload of malicious plugins, granting attackers the ability to modify Java objects at runtime and execute arbitrary code. A nation-state actor known as Storm-0062 has been attributed to exploiting this vulnerability in the wild.

CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.

By exploiting this vulnerability, which stems from ASP.NET and its use of ViewState, an attacker with privileged access can gain access to sensitive data, such as machine keys. By using these machine keys, the attacker can craft malicious ViewState payloads to execute remote code on the ScreenConnect server.

This vulnerability is exploited by a remote attacker via a code injection attack to gain perform arbitrary remote code execution. CISA has linked this vulnerability to adversary campaigns performed by Andariel to perform cyber espionage via ransomware operations.

This vulnerability allows for an adversary to escalate their privileges within the system, allowing them to execute arbitrary code.

This vulnerability, which is dependent on the PHP configuration setting, "register_argc_argv" being enabled, can allow an attacker to craft a malicious HTTP request that CMS can process as legitimate, leading to remote code execution and, potentially, full system compromise.

Attackers can use Server-Side Template Injection with a Thymeleaf template to inject malicious code.. When chained with CVE-2022-43939, can lead to unauthorized code execution.

By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution.

This vulnerability is exploited by an adversary via malicious links embedded in trustworthy websites to infiltrate victim systems. Successful exploitation grants the adversary the ability to execute arbitrary code on the impacted system. The Russia-aligned hacking group TAG-70 has been attributed to exploiting this vulnerability. TAG-70 has used this vulnerability in an espionage campaign targeting European government and military agencies, as well as Iranian embassies in Russia, aiming to gather intelligence on European political and military activities. The campaign, active from early to mid-October 2023, is part of a broader pattern of Russian state-aligned cyber-espionage targeting email services.

This vulnerability is exploited by a remote attacker to execute HTML on the Cobalt Strike team server. To exploit this vulnerability, an attacker would inspect a Cobalt Strike payload and modify the username field within the payload to be malformed. This manipulation enables the attacker to execute arbitrary code by setting a malformed username in the Beacon configuration. In a documented cybersecurity incident, a Chinese threat actor leveraged a modified version of Cobalt Strike, known as "Cobalt Strike Cat," which included a patch for CVE-2022-39197. This version was used to establish communication channels with victim systems, perform evasive post-exploitation activities, and maintain persistence.

CVE-2020-3580 is a vulnerability affecting the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link to to execute arbitrary script code within the interface or access sensitive browser-based information.

Threat actors can use spearphishing to deliver a malicious JavaScript payload, which then allows exfiltration of sensitive data from the email servers.

The /h/autoSaveDraft function in Zimbra Collaboration Suite can be targeted by an authenticated attacker's malicious scripts, facilitating arbitrary code execution, as well as session cookie theft.

Zero-day .NET deserialization vulnerability that allows an adversary to make an HTTP POST request to a vulnerable WS_FTP Server and execute commands.

This vulnerability is utilized by exploiting a public-facing server.

CVE 2021-45046 is a Log4J-related vulnerability that could enable enables an attacker to cause Remote Code Execution or other effects in certain non-default configurations. This specific vulnerability has been reported to have been leveraged in cryptomining and ransomware operations.

CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.

This pre-authentication vulnerability, present in SonicWall SMA1000 appliances running version 12.4.3-02804 or earlier, allows attackers to perform remote code execution on exploited machines, allowing for arbitrary OS command execution.

A deserialization vulnerability in Trimble Cityworks versions before 15.8.9 (and Cityworks with Office Companion versions prior to 23.10) can be exploited by attackers to execute remote code against a target web server.

An attacker can create a serialized object specifically designed to exploit the deserialization vulnerability, embedding this payload into a request, which is then sent to a WebLogic server, leading to arbitrary code execution.

Attackers with API access have been reported as exploiting this vulnerability through a JSON payload sent to a Wazuh worker server. Requests relayed to the master server can result in arbitrary code execution.

This deserialization vulnerability in Microsoft SharePoint allows an unauthenticated remote attacker to execute remote code on the network.

This deserialization vulnerability in NetWeaver Visual Composer, when chained with CVE-2025-31324, allows an attacker to execute unauthenticated remote code with administrator privileges, leading to consequences such as web shell deployment.

This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on SRX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `webauth_operation.php` endpoint, which does not require authentication. This manipulation allows attackers to cause limited impact to the file system integrity, potentially enabling further exploitation.

This vulnerability is exploited through a Missing Authentication for Critical Function weakness in Juniper Networks Junos OS on EX Series devices. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `installAppPackage.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system and enabling attackers to chain this vulnerability with others, potentially leading to further exploitation.

This vulnerability is exploited through a Missing Authentication for Critical Function weakness. Attackers leverage this vulnerability to impact file system integrity by sending a crafted request to the `user.php` endpoint, which does not require authentication. This manipulation allows the upload of arbitrary files, enabling attackers to chain this vulnerability with others, potentially leading to unauthenticated remote code execution.

Unauthenticated attackers have exploited this missing authentication vulnerability by sending crafted HTTP requests, allowing them to execute arbitrary code on the target Langflow server.

Attackers have exploited this Erlang OTP vulnerability by using reverse shells to obtain unauthenticated access, allowing them to execute remote code on the system.

This vulnerability is exploited through a path traversal flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging authenticated administrative access to remotely write arbitrary files onto the server. This enables them to deploy additional payloads, potentially granting further access and compromising the system.

CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50. CVE-2021-42013 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

CVE-2021-41773 is a path traversal vulnerability in Apache HTTP Server 2.4.49 that allows an attacker to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied," these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.

CVE-2019-3398 is a path traversal vulnerability in Atlassian Confluence Server and Data Center that allows an authenticated attacker to write files to arbitrary locations, potentially leading to remote code execution

Due to improper handling of HTTP request input, attackers can exploit a path traversal vulnerability in SimpleHelp version 5.5.7 and prior to gain access to critical user data stored in SimpleHelp, such as credentials. From there, with the credentials, they can further compromise the system, such as with code execution.

By sending a crafted payload to a vulnerable WhatsUp Gold server, an attacker can conduct a path traversal attack and write malicious files onto the server. This leads to high-privileged remote code execution.

By exploiting a path traversal vulnerability in Samsung MagicINFO 9 Server, an unauthenticated attacker can write arbitrary files with system privileges. This can be used to deploy malware or to hijack resources for activity such as cryptocurrency mining.

CVE-2021-26084 is a critical vulnerability affecting Atlassian Confluence Server and Data Center that allows unauthenticated remote code execution. This Object-Graph Navigation Language (OGNL) injection vulnerability enables attackers to execute arbitrary code on vulnerable Confluence instances

This vulnerability has been exploited to give threat actors with knowledge of the CentreStack portal's machineKey the ability to craft malicious payloads for remote code execution.

This control provides minimal coverage for most of this technique's sub-techniques, along with additional mappings for its procedure examples, resulting in an overall score of Minimal. The following Microsoft Sentinel Hunting queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "Anomalous Code Execution" can identifyanomalous runCommand operations on virtual machines, "Azure CloudShell Usage" can identify potentially malicious use of CloudShell, "New processes observed in last 24 hours", "Rare processes run by Service accounts", and "Rare Custom Script Extension" can identify execution outliers that may suggest misuse. The following Microsoft Sentinel Analytics queries can identify potentially malicious use of command and scripting interpreters that does not map directly to one/more sub-techniques: "New CloudShell User" can identify potentially malicious use of CloudShell, "Rare and Potentially high-risk Office operations" can identify specific rare mailbox-related ccount and permission changes via execution.

This control may alert on suspicious Unix shell and PHP execution. Mismatched script extensions may also generate alerts of suspicious activity. Only one of the technique's sub-techniques is covered, resulting in a score of Minimal.

This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.

This control provides minimal detection for this technique's procedure examples and only two of its sub-techniques (only certain specific sub-technique behaviors), resulting in a Minimal score.

Google Security Ops is able to trigger an alert based on system events of interest, for example: decoding Windows payloads using \"certutil.exe\" functionality. This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/process_creation/suspicious_certutil_command.yaral

VirusTotal, now part of Google Cloud, provides threat context and reputation data to help analyze suspicious files, URLs, domains, and IP addresses to detect cybersecurity threats.

The AWS WAF protects web applications from injection attacks that leverage command and scripting interpreters. AWS WAF provides this protection via the following rule sets that block malicious traffic across a variety of operating systems and applications: AWSManagedRulesCommonRuleSet AWSManagedRulesSQLiRuleSet AWSManagedRulesUnixRuleSet AWSManagedRulesWindowsRuleSet AWSManagedRulesPHPRuleSet AWSManagedRulesWordPressRuleSet This is given a score of Partial (instead of Minimal) because while it only protects against a subset of sub-techniques, it does provide protections for command and scripting interpreters that do not have sub-techniques (SQL, PHP, etc.). Furthermore, it blocks the malicious content in near real-time.

Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft's Audit Solutions detects Command and Scripting Interpreter attacks due to Audit Solutions providing the visibility to monitor log files for process execution and monitor contextual data about a running process. License Requirements: Microsoft 365 E3 and E5

This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware. EOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1.

Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.

An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Command and Scripting Interpreter attacks due to Incident Response monitoring for reconnaissance and discovery alerts which monitors for subsequent behavior related to discovery. License Requirements: Microsoft Defender XDR

Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). License requirements: M365 E5 customers.

The RBAC control can be used to partially protect against the abuse of Cloud APIs but does not provide protection against this technique's other sub-techniques or other example procedures. Due to its Minimal coverage score, it receives a score of minimal. License Requirements: ME-ID Built-in Roles (Free)