S0488 CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.1
| Item | Value |
|---|---|
| ID | S0488 |
| Associated Names | |
| Type | TOOL |
| Version | 1.1 |
| Created | 17 July 2020 |
| Last Modified | 14 March 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.002 | Domain Account | CrackMapExec can enumerate the domain user accounts on a targeted system.1 |
| enterprise | T1110 | Brute Force | CrackMapExec can brute force supplied user credentials across a network range.1 |
| enterprise | T1110.001 | Password Guessing | CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.1 |
| enterprise | T1110.003 | Password Spraying | CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | CrackMapExec can execute PowerShell commands via WMI.1 |
| enterprise | T1083 | File and Directory Discovery | CrackMapExec can discover specified filetypes and log files on a targeted system.1 |
| enterprise | T1680 | Local Storage Discovery | CrackMapExec can enumerate the system drives and associated system name.1 |
| enterprise | T1112 | Modify Registry | CrackMapExec can create a registry key using wdigest.1 |
| enterprise | T1135 | Network Share Discovery | CrackMapExec can enumerate the shared folders and associated permissions for a targeted network.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.002 | Security Account Manager | CrackMapExec can dump usernames and hashed passwords from the SAM.1 |
| enterprise | T1003.003 | NTDS | CrackMapExec can dump hashed passwords associated with Active Directory using Windows’ Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.1 |
| enterprise | T1003.004 | LSA Secrets | CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.1 |
| enterprise | T1201 | Password Policy Discovery | CrackMapExec can discover the password policies applied to the target system.1 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | CrackMapExec can gather the user accounts within domain groups.1 |
| enterprise | T1018 | Remote System Discovery | CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.002 | At | CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.1 |
| enterprise | T1016 | System Network Configuration Discovery | CrackMapExec can collect DNS information from the targeted system.1 |
| enterprise | T1049 | System Network Connections Discovery | CrackMapExec can discover active sessions for a targeted system.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | CrackMapExec can pass the hash to authenticate via SMB.1 |
| enterprise | T1047 | Windows Management Instrumentation | CrackMapExec can execute remote commands using Windows Management Instrumentation.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0087 | APT39 | 34 |
| G0046 | FIN7 | |
| 5 | ||
| G1003 | Ember Bear | Ember Bear used CrackMapExec during intrusions.6 |
| G0035 | Dragonfly | 78 |
| G0069 | MuddyWater | 910 |
References
-
byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. ↩
-
Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020. ↩
-
US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. ↩
-
Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. ↩
-
Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. ↩