S0056: Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
Analyst context for executives and security teams
Net Crawler matters because it combines credential theft with Windows lateral movement: it can extract credentials, brute force accounts with recovered passwords, move over SMB, and execute through PsExec. For leaders, the key risk is not the malware name itself but whether a compromised Windows host could become a launch point for rapid intranet spread using weak, reused, or exposed credentials.
Executive priority
Prioritize this as a resilience and identity-control validation issue for Windows environments. Executives should ask whether privileged credential exposure, SMB/admin-share access, and remote service execution are being monitored and controlled well enough to prevent one compromised endpoint from turning into broad internal movement. It is also relevant to audit evidence for credential protection, lateral movement monitoring, incident response readiness, and segmentation decisions.
Technical view
ATT&CK provides no official detection text for Net Crawler, so coverage should be validated through the related behaviors: LSASS memory access, SMB/Windows Admin Shares, password cracking or recovered-password use, and service execution via tools such as PsExec. SOC and IR teams should confirm that Windows endpoint, authentication, SMB, service-control, and process telemetry can reconstruct the chain from credential extraction to remote copy/execution. Because the malware object has Windows as its supported platform and no tactics specified directly, use the linked techniques to drive detection engineering rather than relying on the software entry alone.
Likely telemetry
- Windows process creation and command-line telemetry for credential dumping utilities, PsExec-like execution, and service-control activity
- Endpoint security events involving LSASS access or credential material access attempts
- Windows service creation, modification, and remote service execution events
- SMB session, admin share, and file-copy activity between Windows hosts
- Authentication logs showing repeated failures, successful logons after failures, or unusual account use across multiple systems
Detection direction
- Validate detections for LSASS memory access mapped to T1003.001, with tuning for legitimate administrative, security, and troubleshooting tools.
- Monitor SMB/admin-share access patterns mapped to T1021.002, especially lateral connections between peer workstations or unexpected administrative shares.
- Correlate authentication failures and subsequent successes to identify brute force or recovered-password use associated with T1110.002, while accounting for noisy service accounts and scheduled tasks.
- Detect remote service creation and PsExec-like execution behavior mapped to T1569.002, including short-lived services and remote payload execution.
- Build correlation across credential access, SMB movement, and service execution; any one event may be benign, but the sequence is the higher-value signal.
Mitigation priorities
- Reduce credential exposure on Windows hosts by hardening privileged access and limiting where administrative credentials are used.
- Restrict and monitor SMB/admin-share access, especially between workstations and across network segments where it is not operationally required.
- Enforce strong password practices and reduce password reuse to limit the value of recovered credentials.
- Limit remote service execution to authorized administrative workflows and accounts, and monitor exceptions.
- Segment Windows environments so a single compromised host cannot freely reach broad internal systems over SMB.
Analyst notes and limits
The relationship context links Net Crawler to Cleaver and to techniques for LSASS Memory, SMB/Windows Admin Shares, Password Cracking, and Service Execution. The supplied description says Net Crawler spreads over SMB by brute forcing accounts with recovered passwords and uses PsExec to execute a copy of itself. These relationships make identity hygiene, SMB control, and service-execution monitoring the practical defensive focus.
ATT&CK does not provide official detection guidance for this malware object, and the object’s tactics are not specified. The assessment is therefore based on the official description, external reference metadata, and supplied relationships. Local telemetry, architecture, administrative practices, and control configuration are required to determine actual exposure or detection coverage.
Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1110.002 | Password Cracking Sub-technique | Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.CitationCylance Cleaver |
| Enterprise | T1569.002 | Service Execution Sub-technique | Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.CitationCylance Cleaver |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.CitationCylance Cleaver |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.CitationCylance Cleaver |
Groups, software, and campaigns
G0003: Cleaver
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4a3ad8c1dc01… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Cleaver
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
Open source URL -
[2]
mitre-attack S0056Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.