HackTool - NetExec Execution

calendar Apr 23, 2026 · attack.discovery attack.t1018 attack.lateral-movement attack.t1021  ·
Share on: linkedin copy

Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.

Sigma rule (View on GitHub)

 1title: HackTool - NetExec Execution
 2id: 7638e5fe-600c-4289-a968-f49dd537ec7d
 3status: experimental
 4description: |
 5    Detects execution of the hacktool NetExec.
 6    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
 7    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
 8    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.    
 9references:
10    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
11    - https://github.com/Pennyw0rth/NetExec
12    - https://www.netexec.wiki/
13author: Chirag Damani
14date: 2026-03-29
15tags:
16    - attack.discovery
17    - attack.t1018
18    - attack.lateral-movement
19    - attack.t1021
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\nxc.exe'
26        CommandLine|contains:
27            - ' ftp '
28            - ' ldap '
29            - ' mssql '
30            - ' nfs '
31            - ' rdp '
32            - ' smb '
33            - ' ssh '
34            - ' vnc '
35            - ' winrm '
36            - ' wmi '
37    condition: selection
38falsepositives:
39    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
40level: high
41regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml

References

Related rules

to-top