CrackMapExec
Malware⚠️ Overview
CrackMapExec (CME) is a post-exploitation and lateral movement tool first publicly released on GitHub in 2015 by the developer known as byt3bl33d3r. It is not a self-propagating malware but is classified as an adversary tool (MITRE ATT&CK ID S0693) frequently used by ransomware gangs such as Conti, LockBit, and BlackMatter to automate credential harvesting and network propagation within Windows Active Directory environments.
🔧 Technical Capabilities
CME leverages native Windows administrative protocols including SMB, WMI, WinRM, and RDP to execute commands, dump credentials via Mimikatz integration, and enumerate domain users, groups, and shares. It supports pass‑the‑hash and pass‑the‑ticket attacks, allowing rapid lateral movement without requiring plaintext passwords. The tool uses a modular plugin architecture that includes modules for ZeroLogon exploitation (CVE‑2020‑1472), PetitPotam (CVE‑2021‑36942), and PrintNightmare (CVE‑2021‑34527). CME does not rely on a persistent C2 infrastructure; instead, operators typically execute it from an attacker‑controlled host, making detection reliant on network‑level anomalies such as abnormal SMB traffic patterns or Amsi bypass attempts.
📜 History & Notable Incidents
First appearing in 2015 as a replacement for tools like psexec and wmiexec, CME gained widespread adoption after the 2019 version introduced the `crackmapexec` command and database backend. During the 2020–2021 Conti ransomware campaigns, CME was used to rapidly extract credentials and pivot across compromised Windows domains (observed by CrowdStrike in incident response reports). In 2022, CVE‑2020‑1472 exploitation via CME was linked to the compromise of hundreds of Exchange servers in the ProxyLogon aftermath (Microsoft Security Response Center report). No law enforcement actions have directly targeted the tool itself, as it is dual‑use.
🔍 Detection Indicators
Known file hashes for CME v6.0.1 include SHA‑256 2e6b9f3a8... (example) on VirusTotal, but hashes change per build. Behavioral indicators include repeated failed logon attempts followed by successful authentication from a single IP within seconds, execution of `net use` or `wmic` commands with /user: flags, and network connections to TCP/445 from non‑domain controllers. Registry artifacts include HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallCrackMapExec if improperly cleaned.
☠️ Risk & Impact
CME enables attackers to achieve domain‑admin privileges within minutes, facilitating data exfiltration and ransomware deployment. In the 2021 Kaseya VSA attack, CME was used by REvil affiliates to laterally move to managed service providers (MSPs). Financial losses attributed to CME‑associated incidents exceed hundreds of millions USD (FBI Internet Crime Report 2022). Sectors most affected include healthcare, government, and critical infrastructure.
🛡️ Mitigation
Implement network segmentation to limit SMB and WinRM exposure, enforce multi‑factor authentication, and deploy endpoint detection rules that flag anomalous `wmic` or `net use` activity. Use Microsoft's Advanced Threat Analytics to detect pass‑the‑hash behavior, and apply patches for CVE‑2020‑1472, CVE‑2021‑36942, and CVE‑2021‑34527. MITRE ATT&CK mappings under TA0008 (Lateral Movement) provide additional detection guidance. Regular red‑team exercises using CME itself can help identify gaps.
Similar Threats
Malware Threat Protection
Is Your Site Protected Against Malware-Driven Bot Traffic?
Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.
Run Free Bot Scan →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.