HackTool - NetExec Execution

Original Source: [Sigma source]
Title: HackTool - NetExec Execution
Status: experimental
Description:Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
References:
  -https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
   -https://github.com/Pennyw0rth/NetExec
   -https://www.netexec.wiki/
 Author: Chirag Damani
Date: 2026-03-29
modified:None
Tags:
  • -'attack.discovery'
  • -'attack.t1018'
  • -'attack.lateral-movement'
  • -'attack.t1021'
Logsource:
  • category: process_creation
  • product: windows
Detection:
  selection:
    Image|endswith: '\nxc.exe'
    CommandLine|contains:
      -' ftp '
      -' ldap '
      -' mssql '
      -' nfs '
      -' rdp '
      -' smb '
      -' ssh '
      -' vnc '
      -' winrm '
      -' wmi '

  condition:selection
Falsepositives:
  -Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
Level: high

© 2024 DetectionCode Website. All Rights Reserved.