Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1110 | Brute Force |
Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[1] |
| Enterprise | T1003 | Credential Dumping |
Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[1] |
| Enterprise | T1035 | Service Execution |
Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.[1] |
| Enterprise | T1077 | Windows Admin Shares |
Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0003 | Cleaver | [1] |