The sub-techniques beta is now live! Read the release blog post for more info.

Net Crawler

Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]

ID: S0056
Associated Software: NetC
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.[1]

Enterprise T1003 Credential Dumping

Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.[1]

Enterprise T1035 Service Execution

Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.[1]

Enterprise T1077 Windows Admin Shares

Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.[1]

Groups That Use This Software

ID Name References
G0003 Cleaver [1]