Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[1] |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[1] |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[1] |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0003 | Cleaver |