Skip to main content

CrackMapExec

This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.

Summary

  • Associated actor(s): MuddyWater; APT39
  • Tool type(s): Post-exploitation / credential validation tool
  • Confidence level(s): Medium
  • Source ID(s): SRC-MITRE-G0069, SRC-MITRE-G0087

Behavior

ActorBehavior Summary
APT39MITRE ATT&CK lists CrackMapExec as software used by this actor; track it as network credential validation and lateral movement behavior.
MuddyWaterMITRE ATT&CK lists CrackMapExec as software used by this actor; track it as network credential validation and lateral movement behavior.

Hash And IOC Status

ActorStatusReference
APT39Hash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G0087
MuddyWaterHash not committed; use the linked MITRE references and original source reports for current IOCs.SRC-MITRE-G0069

Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.

Defensive Hunting Notes

ActorHunting Notes
APT39Hunt for CrackMapExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.
MuddyWaterHunt for CrackMapExec execution or artifacts only in context: unusual parent process, unexpected host role, suspicious account, external staging, or proximity to the actor intrusion chain.

Handling Notes

ActorHandling Notes
APT39Common or dual-use tools require local allowlisting and must not be used alone for actor attribution.
MuddyWaterCommon or dual-use tools require local allowlisting and must not be used alone for actor attribution.

Mapped ATT&CK Techniques For Associated Actor(s)

ActorTechniqueTacticMapping QualitySource
MuddyWaterT1566 PhishingInitial AccessM2SRC-MITRE-G0069
MuddyWaterT1059.001 PowerShellExecutionM2SRC-MITRE-G0069
MuddyWaterT1219 Remote Access SoftwareCommand and ControlM3SRC-MITRE-G0069
MuddyWaterT1567.002 Exfiltration to Cloud StorageExfiltrationM2SRC-THREAT-HUNTER-V3
APT39T1566.001 Spearphishing AttachmentInitial AccessM2SRC-MITRE-G0087
APT39T1003.001 LSASS MemoryCredential AccessM2SRC-MITRE-G0087

These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.

ActorDetectionRelease StatusDRLRule
MuddyWaterDET-002 - Suspicious RMM Installer Download From User ContextPilot6detections/sigma/suspicious-rmm-file-sharing-download.yml
MuddyWaterDET-004 - Mail Click To Execution CorrelationHunt4detections/kql/mail-click-to-exec-correlation.kql

These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.

ActorHuntHypothesisQuery
MuddyWaterHUNT-002If MuddyWater-style RMM abuse is active then unauthorized RMM execution will appear from user-controlled pathsdetections/kql/suspicious-rmm-file-sharing-download.kql
MuddyWaterHUNT-004If VIP phishing is active then mail click events will correlate to risky sign-in or executiondetections/kql/mail-click-to-exec-correlation.kql

Source Review

SourcePublisherDateReliabilityTypeLast Reviewed
SRC-MITRE-G0069MITRE ATT&CK2026-05-13AKnowledge base2026-05-14
SRC-MITRE-G0087MITRE ATT&CK2026-05-14AKnowledge base2026-05-14

If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.