sigmaDRL-1.1from SigmaHQ/sigma
HackTool - NetExec File Indicators
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for Active Directory enumeration, credential harvesting, and remote code execution.
Quality
96
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml
title: HackTool - NetExec File Indicators
id: efc21479-9e83-41da-8cf1-122e06ba8db3
status: experimental
description: |
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
Active Directory enumeration, credential harvesting, and remote code execution.
references:
- https://github.com/Pennyw0rth/NetExec
- https://www.netexec.wiki/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-08
tags:
- attack.execution
- attack.lateral-movement
- attack.discovery
- attack.t1021.002
- attack.t1059.005
logsource:
product: windows
category: file_event
detection:
selection:
- Image|contains: '\nxc-windows-latest\'
- TargetFilename|contains|all:
- '\Temp\_MEI'
- '\nxc\data\'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml