Is my host protected against Crackmapexec?

Is my host protected against Crackmapexec?

Crackmapexec is an open-source tool that leverages Mimikatz to enable adversaries to harvest credentials and move laterally through an Active Directory environment. It abuses multiple different technologies in Active Directory such as WMI, SAM, and LSA.
CrackMapExec is a Python-based application for detecting and exploiting vulnerabilities in Active Directory. It specifically allows adversaries to collect NTDS credentials and authenticate with them, allowing for lateral movement and privilege escalation. An adversary who gains access to an administrator account can use the SMB protocol to execute instructions and dump data from a remote location.

Crackmapexec is available for download at Crackmapexec.

Testing

Execute Is my host protected against Crackmapexec? in Operator on each host in your environment to test if you are vulnerable.

This chain is meant to be deployed from a jump box and attack another machine on the network using Crackmapexec to dump SAM and LSA and execute

Remediation

Microsoft has released Attack Surface Reduction (ASR) rules to Block process creations originating from PSExec and WMI commands and Block credential stealing from the Windows local security authority subsystem. These rules currently apply to WMI and PsExec processes, but will not prevent the use of Crackmapexec or other tools that implement WMI functionality. Further remediation can be done by using a tiering model to restrict the use of privileged accounts and restricting inbound traffic at the host level to prevent lateral movement techniques.

Crackmapexec may also be detected by monitoring network traffic for WMI connections.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1