S0056 Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. 1
| Item | Value |
|---|---|
| ID | S0056 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 22 July 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.002 | Password Cracking | Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0003 | Cleaver | 1 |