Skip to content

S0488 CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.1

Item Value
ID S0488
Associated Names
Version 1.0
Created 17 July 2020
Last Modified 29 July 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account CrackMapExec can enumerate the domain user accounts on a targeted system.1
enterprise T1110 Brute Force CrackMapExec can brute force supplied user credentials across a network range.1
enterprise T1110.001 Password Guessing CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.1
enterprise T1110.003 Password Spraying CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell CrackMapExec can execute PowerShell commands via WMI.1
enterprise T1083 File and Directory Discovery CrackMapExec can discover specified filetypes and log files on a targeted system.1
enterprise T1112 Modify Registry CrackMapExec can create a registry key using wdigest.1
enterprise T1135 Network Share Discovery CrackMapExec can enumerate the shared folders and associated permissions for a targeted network.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager CrackMapExec can dump usernames and hashed passwords from the SAM.1
enterprise T1003.003 NTDS CrackMapExec can dump hashed passwords associated with Active Directory using Windows’ Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.1
enterprise T1003.004 LSA Secrets CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.1
enterprise T1201 Password Policy Discovery CrackMapExec can discover the password policies applied to the target system.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups CrackMapExec can gather the user accounts within domain groups.1
enterprise T1018 Remote System Discovery CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.002 At CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.1
enterprise T1082 System Information Discovery CrackMapExec can enumerate the system drives and associated system name.1
enterprise T1016 System Network Configuration Discovery CrackMapExec can collect DNS information from the targeted system.1
enterprise T1049 System Network Connections Discovery CrackMapExec can discover active sessions for a targeted system.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash CrackMapExec can pass the hash to authenticate via SMB.1
enterprise T1047 Windows Management Instrumentation CrackMapExec can execute remote commands using Windows Management Instrumentation.1

Groups That Use This Software

ID Name References
G0069 MuddyWater 23
G0046 FIN7
G0035 Dragonfly 56
G0087 APT39 78