Crackmapexec is available for download at Crackmapexec.
Is my host protected against Crackmapexec? in Operator on each host in your environment to test if you are vulnerable.
This chain is meant to be deployed from a jump box and attack another machine on the network using Crackmapexec to dump SAM and LSA and execute
Microsoft has released Attack Surface Reduction (ASR) rules to Block process creations originating from PSExec and WMI commands and Block credential stealing from the Windows local security authority subsystem. These rules currently apply to WMI and PsExec processes, but will not prevent the use of Crackmapexec or other tools that implement WMI functionality. Further remediation can be done by using a tiering model to restrict the use of privileged accounts and restricting inbound traffic at the host level to prevent lateral movement techniques.
Crackmapexec may also be detected by monitoring network traffic for WMI connections.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg