CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
CrackMapExec can enumerate the domain user accounts on a targeted system.[1] |
Enterprise | T1110 | Brute Force |
CrackMapExec can brute force supplied user credentials across a network range.[1] |
|
.001 | Password Guessing |
CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.[1] |
||
.003 | Password Spraying |
CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[1] |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CrackMapExec can execute PowerShell commands via WMI.[1] |
Enterprise | T1083 | File and Directory Discovery |
CrackMapExec can discover specified filetypes and log files on a targeted system.[1] |
|
Enterprise | T1112 | Modify Registry |
CrackMapExec can create a registry key using wdigest.[1] |
|
Enterprise | T1135 | Network Share Discovery |
CrackMapExec can enumerate the shared folders and associated permissions for a targeted network.[1] |
|
Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
CrackMapExec can dump usernames and hashed passwords from the SAM.[1] |
.003 | OS Credential Dumping: NTDS |
CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.[1] |
||
.004 | OS Credential Dumping: LSA Secrets |
CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.[1] |
||
Enterprise | T1201 | Password Policy Discovery |
CrackMapExec can discover the password policies applied to the target system.[1] |
|
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
CrackMapExec can gather the user accounts within domain groups.[1] |
Enterprise | T1018 | Remote System Discovery |
CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network.[1] |
|
Enterprise | T1053 | .002 | Scheduled Task/Job: At |
CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.[1] |
Enterprise | T1082 | System Information Discovery |
CrackMapExec can enumerate the system drives and associated system name.[1] |
|
Enterprise | T1016 | System Network Configuration Discovery |
CrackMapExec can collect DNS information from the targeted system.[1] |
|
Enterprise | T1049 | System Network Connections Discovery |
CrackMapExec can discover active sessions for a targeted system.[1] |
|
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
CrackMapExec can pass the hash to authenticate via SMB.[1] |
Enterprise | T1047 | Windows Management Instrumentation |
CrackMapExec can execute remote commands using Windows Management Instrumentation.[1] |
ID | Name | Description |
---|---|---|
C0029 | Cutting Edge |