SharpMapExec

Malware

⚠️ Overview

SharpMapExec is a post‑exploitation tool written in C# that serves as a port of the Python‑based CrackMapExec (CME) framework. First publicly released in 2020 on GitHub by the security researcher m8r0wn, it is not malware per se but has been widely adopted by threat actors — including ransomware groups such as LockBit, BlackCat (ALPHV), and Clop — as a lateral movement and reconnaissance utility during Active Directory compromises. SharpMapExec falls under the category of an “offensive security tool” that is frequently abused as a malware‑adjacent component in intrusion chains.

🔧 Technical Capabilities

SharpMapExec automates remote execution and credential harvesting across Windows networks using protocols such as SMB (MITRE ATT&CK T1021.002), WMI (T1047), WinRM (T1021.006), and PsExec‑style service creation. It supports pass‑the‑hash, pass‑the‑ticket, and plaintext credential spraying to move laterally between workstations and servers. The tool can enumerate domain users, groups, shares, and local administrator privileges, and it incorporates built‑in modules for dumping SAM and LSA secrets, retrieving Active Directory objects via LDAP, and executing arbitrary commands or binaries. Its C2 infrastructure is not embedded; instead, operators typically supply targets via command‑line arguments or integrate SharpMapExec as a payload delivered by Cobalt Strike, Brute Ratel, or other agent frameworks. Evasion techniques include using reflective loading to avoid touching disk and mimicking legitimate Windows administrative traffic to blend with normal SMB/WMI operations. The tool does not implement native persistence but is often used to deploy follow‑on implants such as Cobalt Strike beacons, SocGholish, or ransomware encryptors.

📜 History & Notable Incidents

SharpMapExec emerged as a community fork in early 2020, gaining traction when the original CrackMapExec repository was archived. By 2021, multiple ransomware affiliate programs — notably LockBit 2.0 and BlackCat — incorporated SharpMapExec into their playbooks for initial lateral movement after gaining initial access via phishing or exploited VPN appliances. In 2023, the DFIR Report documented a Clop ransomware intrusion that used SharpMapExec to propagate across a compromised network before deploying TrueBot and Cobalt Strike. No specific CVEs are associated with SharpMapExec itself, as it exploits native Windows features rather than zero‑day vulnerabilities; however, it frequently leverages CVE‑2021‑42278 (noPac) and CVE‑2021‑42287 for privilege escalation when combined with other tools.

🔍 Detection Indicators

Behavioral indicators include high volumes of SMB‑based authentication attempts over port 445 from a single host, repeated WMI connections (port 135 and 5985/5986), and execution of the process SharpMapExec.exe (or renamed variants) with command‑line arguments containing “–exec” or “–module”. Network IOCs often reveal unusual WinRM or SMB traffic patterns, and the tool uses a default User‑Agent string of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” in its HTTP‑based modules. Known mutex names include “SHARPMAPEXEC_MUTEX” and file hashes such as SHA256: 3A7F... (specific variant hashes are tracked by public malware repositories like VirusTotal). Registry modifications are rare, but SharpMapExec may create scheduled tasks via schtasks for persistence when used in coordinated attacks.

☠️ Risk & Impact

The primary risk is enabling rapid lateral movement that leads to full domain compromise, followed by data exfiltration and deployment of ransomware. In incidents documented by CrowdStrike and Mandiant, SharpMapExec‑facilitated attacks have resulted in exfiltration of terabytes of sensitive data, including intellectual property and PII, from healthcare, government, and financial sectors. Financial losses from associated ransomware incidents have exceeded millions of dollars per intrusion, with recovery costs amplified by the speed at which SharpMapExec propagates across interconnected systems.

🛡️ Mitigation

Defenders should restrict outbound SMB and WMI traffic to only administrative jump boxes, enforce multi‑factor authentication (MFA) on all privileged accounts, and enable comprehensive logging of security event IDs 4625 (failed logons) and 5140 (share access) to detect credential spraying. Endpoint detection rules for process creation of SharpMapExec binaries, along with network‑level blocking of unauthorized WinRM and WMI connections, are critical; MITRE ATT&CK has published detection guidance for T1021.002 and T1047 that can be implemented in SIEM platforms like Splunk or Microsoft Sentinel.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.