{"vulnerability": "CVE-2019-1040", "sightings": [{"uuid": "74a5b66c-4724-47cb-ae51-45330b47bbbb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "MISP/5f850411-c103-491f-abff-9421425403cf", "content": "", "creation_timestamp": "2020-10-21T08:19:11.000000Z"}, {"uuid": "18f50f2a-b188-42d3-b4e4-bb42b1e88175", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "MISP/42d04e94-bf5b-427d-acc8-f5d740675941", "content": "", "creation_timestamp": "2020-10-20T15:57:21.000000Z"}, {"uuid": "5e9aad42-8682-49ba-9164-9d994820e01e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "MISP/d925a2ee-e7cf-46f6-bec1-ad8e19122730", "content": "", "creation_timestamp": "2020-10-20T15:58:04.000000Z"}, {"uuid": "eaed2013-1e61-4bd1-8480-9daaacf6d250", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/YouPentest/5564", "content": "\u041a\u0435\u0440\u0431\u0435\u0440\u043e\u0441. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u043e\u0432 Windows \u0432 \u0442\u0435\u0441\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438 \u043d\u0430 \u043f\u0440\u043e\u043d\u0438\u043a\u043d\u043e\u0432\u0435\u043d\u0438\u0435.\n\n00:00 \u041f\u043b\u0430\u043d \u0432\u0438\u0434\u0435\u043e\n00:20 \u041e\u0431 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0435 Kerberos\n01:55 TGT\n08:20 TGS\n14:19 Golden ticket, ntds.dit, krbtgt\n23:02 Silver ticket\n25:15 Kerberoasting\n32:45 AS-REQ Roasting\n36:30 AS-REP Roasting\n43:15 \u041f\u0440\u043e SPN\n47:27 Delegation\n49:20 Unconstrained delegation, printer bug \u0438 DCSync \n57:35 DCSync \u0438 Rubeus\n01:06:50 Unconstrained delegation Pro tip\n01:11:05 Constrained delegation\n01:14:01 S4U2Self \u0438 S4U2Proxy\n01:21:50 Protected users. Account is sensitive and cannot be delegated\n01:24:19 'Forwardable' ticket flag\n01:32:37 Resource-based constrained delegation\n01:47:20 NTLM relay attack. NTLMrelayx \u0438 Rubeus\n01:58:50 MS Exchange Pro tip\n02:03:19 CVE-2019-1040\n02:06:06 LDAP signing\n02:12:25 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 Constrained delegation\n02:15:36 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 NTLM relay attack, Resource-based constrained delegation \u0438 LDAP signing\n02:17:07 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 SPN\n02:18:59 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0435\u043d\u0438\u0435 NTLMrelayx \u0438 secondary DNS\n\nhttps://www.youtube.com/watch?v=qZPvgoUzCdI\n\n#video #infosec #cybersecurity #pentesting #kerberos #ad", "creation_timestamp": "2024-02-26T16:38:10.000000Z"}, {"uuid": "4b5fc099-b423-4ad8-97cf-60015135ec24", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2019-1040", "type": "seen", "source": "https://gist.github.com/Darksidesfear/97c95439522b3c4dec1538398066aa8f", "content": "", "creation_timestamp": "2025-05-04T11:34:03.000000Z"}, {"uuid": "f8e31699-1acf-4b13-9399-8e00ad6e0a84", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "Telegram/6ozsUPZBjsDLdZG63vMadgqko_WpCCgDVLV4ovLlz1dO__U", "content": "", "creation_timestamp": "2025-12-07T03:00:05.000000Z"}, {"uuid": "83cbb3c7-f24f-434b-8afb-850a5ca83439", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/antichat/5409", "content": "Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-06-14T12:15:26.000000Z"}, {"uuid": "2b3b0f38-caa5-49db-8a95-121744fca736", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/antichat/5859", "content": "https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-07-14T08:50:16.000000Z"}, {"uuid": "3bc3a082-297f-4893-bb7b-d6666b952593", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://gist.github.com/strikoder/99635df00444bbf5fc90ca83ec8051a0", "content": "", "creation_timestamp": "2025-12-01T12:02:42.000000Z"}, {"uuid": "5dde8526-5897-4672-baa1-6c1eeda15108", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://t.me/is_n3ws/36", "content": "\u0410\u041d\u0411 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043b\u043e \u0430\u0442\u0430\u043a\u0438 \u043a\u0438\u0442\u0430\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u0430\u0432\u0438\u0442\u0435\u043b\u044c\u0441\u0432\u0442\u0432\u0435\u043d\u043d\u044b\u0445 \u0445\u0430\u043a\u0435\u0440\u043e\u0432 \u0438 \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b\u043e \u043e\u0442\u0447\u0435\u0442. Top-20 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u043c\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439.\n\nhttps://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF\n\nGaining Remote Access: \n-----------------------------\nCVE-2019-11510: Arbitrary file read/Pulse Secure VPN\nCVE-2019-19781: RCE/Citrix ADC\nCVE-2020-8195/3/6: Unauthenticated access\nCVE-2019-0708: RCE on RDP server\nCVE-2020-5902: RCE in F5 BIG-IP\n\nAD:\n----\nCVE-2020-1472: #ZeroLogon\nCVE-2019-1040: NTLM relay bypass\n\nMDM: \n------\nCVE-2020-15505: MobileIron device management\n\nExploiting Public Facing Services:\n---------------- \nCVE-2020-1350: RCE/ DNS Servers #SigRed\nCVE-2018-6789: RCE/ Exim mail transfer\nCVE-2018-4939: RCE/ Adobe's Cold Fusion\n\nWorkstation Local Privilege Escalation:\n-------------------------\nCVE-2020-0601: ECC spoofing #CurveBall\nCVE-2019-0803: Win32k Elevation of Privilege\n\nInternal Applications:\n--------------------\nCVE-2020-0688: RCE/MS Exchange\nCVE-2020-2555: RCE/Oracle Weblogic\nCVE-2019-11580: RCE/Atlassian Crowd\nCVE-2019-18935: RCE/ASP.Net\nCVE-2015-4852: RCE/Apache\nCVE-2019-3396: Unauthorized Access/Confluence\nCVE-2020-10189: RCE/Desktop Central", "creation_timestamp": "2020-11-06T22:00:17.000000Z"}, {"uuid": "2aa6ac98-9fde-4c35-b078-a9dcfe08ba95", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/mis_team/97", "content": "CVE-2019-1040\n\n\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u0432\u0441\u0435 \u043e\u0431\u0441\u0443\u0436\u0434\u0430\u044e\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2019-1040 \u0438 \u043f\u0430\u0442\u0447 \u043e\u0442 \u041c\u0430\u0439\u043a\u0440\u043e\u0441\u043e\u0444\u0442\u0430.\n\n\u0415\u0441\u043b\u0438 \u0432\u044b \u0435\u0449\u0451 \u043d\u0438\u0447\u0435\u0433\u043e \u043d\u0435 \u0437\u043d\u0430\u0435\u0442\u0435 - \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u043c.\n\u0424\u0438\u0448\u043a\u0430 \u0432 ntlm. \u041e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0437-\u0437\u0430 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 ntlm \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u0445\u043e\u0434\u0438\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 - \u0435\u0441\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u043f\u0435\u0440\u0435\u0434\u0430\u0442\u044c SMB \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e \u043d\u0430 LDAP. \u0412 \u0438\u0442\u043e\u0433\u0435 RCE \u043f\u043e\u0434 \u0441\u0438\u0441\u0442\u0435\u043c\u043e\u0439 \u043d\u0430 \u043c\u0430\u0448\u0438\u043d\u0435.\n\n\u041a\u0430\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c: \u0432 ntlmrelayx \u0434\u043e\u0431\u0430\u0432\u0438\u043b\u0438 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0435\u0441\u043b\u0438 \u043e\u043d\u0430 \u043d\u0435 \u0437\u0430\u043a\u0440\u044b\u0442\u0430.\n\n\u0414\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u043d\u0438\u043a\u043e\u0432: \u043f\u0430\u0442\u0447 \u0435\u0441\u0442\u044c \u0438 \u0435\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u0441\u0442\u0430\u0432\u0438\u0442\u044c \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u0441\u0442\u0440\u0435\u0435.\n\n\u0414\u043b\u044f \u043f\u0435\u043d\u0442\u0435\u0441\u0442\u0430 \u0438 \u0440\u0435\u0434\u0442\u0438\u043c\u0430: \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u0432 \u043f\u0435\u0440\u0432\u0443\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439. \u0415\u0441\u043b\u0438 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u0435 \u0441\u0442\u043e\u0438\u0442 - \u0432\u044b \u043d\u0430\u0448\u043b\u0438 \u043b\u0451\u0433\u043a\u0438\u0439 \u0441\u043f\u043e\u0441\u043e\u0431 \u0437\u0430\u0432\u043b\u0430\u0434\u0435\u0442\u044c \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0435\u0439.\n\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-06-15T11:10:30.000000Z"}, {"uuid": "17ac5c03-df72-47fa-ac38-4debb71501fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "Telegram/VhpI9vwSnkp5aTH5NVtKHmjw7iSFjGG8mVB-6en3z_Pvdw", "content": "", "creation_timestamp": "2020-05-06T15:39:23.000000Z"}, {"uuid": "b2f11ce7-282a-4396-a814-113b99134767", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "Telegram/0sD_EyHySREvSWLaWKL-XHqTqDduPkHhIy1vEKF4pCPQbv8", "content": "", "creation_timestamp": "2020-10-28T02:58:38.000000Z"}, {"uuid": "2fff2381-9a71-4f6f-8330-d8b4d77efadc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/797", "content": "#tools\n#Blue_Team_Techniques\nNTLM Scanner \u2060- tool to check servers/hosts for various known NTLM vulnerabilities over SMB:   CVE-2019-1019, CVE-2019-1040, CVE-2019-1166, CVE-2019-1338...\nhttps://github.com/preempt/ntlm-scanner", "creation_timestamp": "2024-10-10T02:52:34.000000Z"}, {"uuid": "c28420a6-bc59-43ca-be5b-3090219cfe3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/canyoupwnme/5627", "content": "Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/", "creation_timestamp": "2019-06-14T09:16:51.000000Z"}, {"uuid": "0f61b486-9ed8-4b99-9164-245dea0af5bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "seen", "source": "https://t.me/CyberSecurityTechnologies/283", "content": "#Research\n\"RAMBleed attack (CVE-2019-1040)\", 2019.\nhttps://www.documentcloud.org/documents/6150180-RamBleed-attack-CVE-2019-0174.html", "creation_timestamp": "2020-12-20T13:44:57.000000Z"}, {"uuid": "12094871-72d6-4b98-8244-bfddd372978b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/301", "content": "#Offensive_security\n1. Magento 2.3.1: \nUnauthenticated Stored XSS to RCE\nhttps://blog.ripstech.com/2019/magento-rce-via-xss\n2. Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin", "creation_timestamp": "2022-02-17T07:26:31.000000Z"}, {"uuid": "654967e3-b3f1-44dc-84b4-5ef2aee1f4ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/284", "content": "#Red_Team_Tactics\n1. Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin\nhttps://blog.preempt.com/drop-the-mic\n2. Coding a reliable CVE-2019-084 bypass\nhttps://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html", "creation_timestamp": "2023-10-26T20:37:33.000000Z"}, {"uuid": "08b6ffef-18e6-4c7d-b947-3d6e50456f09", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/256", "content": "#tools\n#Blue_Team_Techniques\nCVE-2019-1040 Scanner\nhttps://github.com/fox-it/cve-2019-1040-scanner\n// Checks for CVE-2019-1040 vulnerability over SMB", "creation_timestamp": "2023-09-08T08:46:43.000000Z"}, {"uuid": "0397a52b-1a52-42cd-a991-455073480e1d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2019-1040", "type": "exploited", "source": "https://t.me/suboxone_chatroom/132", "content": "Both Falcon identity protection modules provide Active Directory attack detections:\n\u2022 Account enumeration reconnaissance (BloodHound, Kerberoasting)\n\u2022 Bronze Bit (CVE-2020-17049)\n\u2022 Brute force attacks (LDAP simple bind, NTLM, Kerberos)\n\u2022 Credential scanning (on-premises)\n\u2022 Cloud-based (Azure AD) brute-force/credentials scanning\n\u2022 DCSync \u2014 Active Directory replication\n\u2022 DCShadow\n\u2022 Forged PAC for privilege escalation (Bulletin MS-14-068)\n\u2022 Golden Ticket\n\u2022 Hidden object detected\n\u2022 NTLM Relay Attack (including MS Exchange)\n\u2022 Overpass-the-Hash (Multiple methods - Mimikatz, CrackMapExec)\n\u2022 Pass-the-Hash (Impacket, CrackMapExec, Metasploit)\n\u2022 Pass-the-Ticket\n\u2022 Possible exploitation attempt (CredSSP) CVE-2018-0886\n\u2022 Remote execution attempts\n\u2022 Skeleton Key and Mimikatz Skeleton Key\n\u2022 Suspected NTLM authentication tampering (CVE-2019-1040)\n\u2022 ZeroLogin (CVE-2020-1472)", "creation_timestamp": "2024-12-27T11:55:02.000000Z"}]}