CrackMapExec

CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]

ID: S0488
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 17 July 2020
Last Modified: 29 July 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

CrackMapExec can enumerate the domain user accounts on a targeted system.[1]

Enterprise T1110 Brute Force

CrackMapExec can brute force supplied user credentials across a network range.[1]

.001 Password Guessing

CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.[1]

.003 Password Spraying

CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CrackMapExec can execute PowerShell commands via WMI.[1]

Enterprise T1083 File and Directory Discovery

CrackMapExec can discover specified filetypes and log files on a targeted system.[1]

Enterprise T1112 Modify Registry

CrackMapExec can create a registry key using wdigest.[1]

Enterprise T1135 Network Share Discovery

CrackMapExec can enumerate the shared folders and associated permissions for a targeted network.[1]

Enterprise T1003 .003 OS Credential Dumping: NTDS

CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.[1]

.004 OS Credential Dumping: LSA Secrets

CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.[1]

.002 OS Credential Dumping: Security Account Manager

CrackMapExec can dump usernames and hashed passwords from the SAM.[1]

Enterprise T1201 Password Policy Discovery

CrackMapExec can discover the password policies applied to the target system.[1]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

CrackMapExec can gather the user accounts within domain groups.[1]

Enterprise T1018 Remote System Discovery

CrackMapExec can discover active IP addresses, along with the machine name, within a targeted network.[1]

Enterprise T1053 .002 Scheduled Task/Job: At (Windows)

CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.[1]

Enterprise T1082 System Information Discovery

CrackMapExec can enumerate the system drives and associated system name.[1]

Enterprise T1016 System Network Configuration Discovery

CrackMapExec can collect DNS information from the targeted system.[1]

Enterprise T1049 System Network Connections Discovery

CrackMapExec can discover active sessions for a targeted system.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

CrackMapExec can pass the hash to authenticate via SMB.[1]

Enterprise T1047 Windows Management Instrumentation

CrackMapExec can execute remote commands using Windows Management Instrumentation.[1]

Groups That Use This Software

ID Name References
G0087 APT39

[2][3]

G0069 MuddyWater

[4][5]

G0074 Dragonfly 2.0

[6]

References