Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. ^[1]

ID: S0056

Associated Software: NetC

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 31 May 2017

Last Modified: 17 October 2018

Techniques Used

Domain	ID	Name	Use
Enterprise	T1110	Brute Force	Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.^[1]
Enterprise	T1003	Credential Dumping	Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.^[1]
Enterprise	T1035	Service Execution	Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.^[1]
Enterprise	T1077	Windows Admin Shares	Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.^[1]

Groups That Use This Software

ID	Name	References
G0003	Cleaver	^[1]

References

Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.

Net Crawler

Enterprise Layer

Techniques Used

Groups That Use This Software

References