HackTool - NetExec File Indicators

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI" directory under the Temp folder upon execution. Files dropped under the "\nxc" sub-directory of that extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for Active Directory enumeration, credential harvesting, and remote code execution.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.005` Command and Scripting Interpreter: Visual Basic
Lateral Movement	`T1021.002` Remote Services: SMB/Windows Admin Shares

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `selection`

or:
TargetFilename|contains: '\Temp\_MEI'
TargetFilename|contains: '\nxc\data\'
Image|contains: '\nxc-windows-latest\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.