High-risk tools in CrackMapExec MCP Server
9 of the 11 tools in CrackMapExec MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
cme_ldapExecuteExecute LDAP protocol operations. Supports Active Directory enumeration including users, computers, groups, delegation, and custom LDAP queries.
-
cme_mssqlExecuteExecute MSSQL protocol operations. Supports SQL query execution and command execution via xp_cmdshell.
-
cme_rawExecuteExecute a raw NetExec/CrackMapExec command. Use this for advanced operations not covered by other tools.
-
cme_rdpExecuteExecute RDP protocol operations. Check RDP access and screenshot capabilities.
-
cme_smbExecuteExecute SMB protocol operations with NetExec/CrackMapExec. Supports enumeration of shares, users, groups, sessions, credential dumping (SAM, LSA, NTDS), and command execution.
-
cme_sprayExecutePerform password spraying attacks across multiple targets. Supports jitter and continues on success options.
-
cme_sshExecuteExecute SSH protocol operations. Supports password and key-based authentication for Linux/Unix hosts.
-
cme_winrmExecuteExecute WinRM protocol operations. Supports remote command execution and credential dumping on hosts with WinRM enabled (ports 5985/5986).
-
cme_wmiExecuteExecute WMI protocol operations. Supports remote command execution via WMI.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.