HackTool - NetExec File Indicators
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI
Sigma rule (View on GitHub)
1title: HackTool - NetExec File Indicators
2id: efc21479-9e83-41da-8cf1-122e06ba8db3
3status: experimental
4description: |
5 Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
6 NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
7 under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
8 extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
9 NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
10 Active Directory enumeration, credential harvesting, and remote code execution.
11references:
12 - https://github.com/Pennyw0rth/NetExec
13 - https://www.netexec.wiki/
14author: Swachchhanda Shrawan Poudel (Nextron Systems)
15date: 2026-04-08
16tags:
17 - attack.execution
18 - attack.lateral-movement
19 - attack.discovery
20 - attack.t1021.002
21 - attack.t1059.005
22logsource:
23 product: windows
24 category: file_event
25detection:
26 selection:
27 - Image|contains: '\nxc-windows-latest\'
28 - TargetFilename|contains|all:
29 - '\Temp\_MEI'
30 - '\nxc\data\'
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
35regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
References
Related rules
- Turla Group Lateral Movement
- Metasploit Or Impacket Service Installation Via SMB PsExec
- Rundll32 Execution Without Parameters
- CobaltStrike Service Installations - Security
- CobaltStrike Service Installations - System