Skip to content

S0056 Net Crawler

Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. 1

Item Value
ID S0056
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 21 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.1

Groups That Use This Software

ID Name References
G0003 Cleaver 1


Back to top