CrackMapExec
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
CrackMapExec can enumerate the domain user accounts on a targeted system.(Citation: CME Github September 2018) |
| Enterprise | T1110 | .001 | Brute Force: Password Guessing |
CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.(Citation: CME Github September 2018) |
| .003 | Brute Force: Password Spraying |
CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.(Citation: CME Github September 2018) |
||
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CrackMapExec can execute PowerShell commands via WMI.(Citation: CME Github September 2018) |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
CrackMapExec can dump usernames and hashed passwords from the SAM.(Citation: CME Github September 2018) |
| .003 | OS Credential Dumping: NTDS |
CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.(Citation: CME Github September 2018) |
||
| .004 | OS Credential Dumping: LSA Secrets |
CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.(Citation: CME Github September 2018) |
||
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
CrackMapExec can gather the user accounts within domain groups.(Citation: CME Github September 2018) |
| Enterprise | T1053 | .002 | Scheduled Task/Job: At |
CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.(Citation: CME Github September 2018) |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
CrackMapExec can pass the hash to authenticate via SMB.(Citation: CME Github September 2018) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0087 | APT39 |
(Citation: FireEye APT39 Jan 2019) (Citation: BitDefender Chafer May 2020) |
| G0046 | FIN7 |
(Citation: CrowdStrike Carbon Spider August 2021) |
| G0074 | Dragonfly 2.0 |
(Citation: US-CERT TA18-074A) |
| G0035 | Dragonfly |
(Citation: Secureworks IRON LIBERTY July 2019) (Citation: US-CERT TA18-074A) |
| G0069 | MuddyWater |
(Citation: TrendMicro POWERSTATS V3 June 2019) (Citation: Symantec MuddyWater Dec 2018) |
References
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.