CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
CrackMapExec can execute remote commands using Windows Management Instrumentation.[1] |
|
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
CrackMapExec can pass the hash to authenticate via SMB.[1] |
| Enterprise | T1112 | 修改注册表 |
CrackMapExec can create a registry key using wdigest.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
CrackMapExec can execute PowerShell commands via WMI.[1] |
| Enterprise | T1201 | 密码策略发现 |
CrackMapExec can discover the password policies applied to the target system.[1] |
|
| Enterprise | T1003 | .002 | 操作系统凭证转储: Security Account Manager |
CrackMapExec can dump usernames and hashed passwords from the SAM.[1] |
| .003 | 操作系统凭证转储: NTDS |
CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.[1] |
||
| .004 | 操作系统凭证转储: LSA Secrets |
CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.[1] |
||
| Enterprise | T1083 | 文件和目录发现 |
CrackMapExec can discover specified filetypes and log files on a targeted system.[1] |
|
| Enterprise | T1110 | 暴力破解 |
CrackMapExec can brute force supplied user credentials across a network range.[1] |
|
| .001 | Password Guessing |
CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.[1] |
||
| .003 | Password Spraying |
CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[1] |
||
| Enterprise | T1069 | .002 | 权限组发现: Domain Groups |
CrackMapExec can gather the user accounts within domain groups.[1] |
| Enterprise | T1082 | 系统信息发现 |
CrackMapExec can enumerate the system drives and associated system name.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
CrackMapExec can discover active sessions for a targeted system.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
CrackMapExec can collect DNS information from the targeted system.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
CrackMapExec can enumerate the shared folders and associated permissions for a targeted network.[1] |
|
| Enterprise | T1087 | .002 | 账号发现: Domain Account |
CrackMapExec can enumerate the domain user accounts on a targeted system.[1] |
| Enterprise | T1018 | 远程系统发现 |
CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network.[1] |
|
| Enterprise | T1053 | .002 | 预定任务/作业: At |
CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0087 | APT39 | |
| G0046 | FIN7 | |
| G1003 | Ember Bear |
Ember Bear used CrackMapExec during intrusions.[5] |
| G0035 | Dragonfly | |
| G0069 | MuddyWater |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0029 | Cutting Edge |
References
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
- Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
- Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.