Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory |
Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[1] |
| Enterprise | T1110 | .002 | 暴力破解: Password Cracking |
Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[1] |
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.[1] |
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[1] |