Detection rules › Sigma
HackTool - NetExec Execution
Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1018 Remote System Discovery |
| Lateral Movement | T1021 Remote Services |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection
or:
CommandLine|contains: ' ftp '
CommandLine|contains: ' ldap '
CommandLine|contains: ' mssql '
CommandLine|contains: ' nfs '
CommandLine|contains: ' rdp '
CommandLine|contains: ' smb '
CommandLine|contains: ' ssh '
CommandLine|contains: ' vnc '
CommandLine|contains: ' winrm '
CommandLine|contains: ' wmi '
Image|endswith: '\nxc.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|