Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution

new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json

@@ -0,0 +1,357 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.850672Z"
+        }
+      },
+      "EventRecordID": 129825,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.846",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\keepass_trigger_module\\RestartKeePass.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.846",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.850722Z"
+        }
+      },
+      "EventRecordID": 129826,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.848",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\msol_dump\\entra-sync-creds.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.848",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.864253Z"
+        }
+      },
+      "EventRecordID": 129827,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.850",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\ntds-dump-raw\\ntds-dump-raw.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.850",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.864398Z"
+        }
+      },
+      "EventRecordID": 129828,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "EXE",
+      "UtcTime": "2026-04-08 10:58:04.860",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\procdump\\procdump.exe",
+      "CreationUtcTime": "2026-04-08 10:58:04.860",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.880069Z"
+        }
+      },
+      "EventRecordID": 129829,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.876",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_mssql.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.876",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.880098Z"
+        }
+      },
+      "EventRecordID": 129830,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.876",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_postgresql.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.876",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.888584Z"
+        }
+      },
+      "EventRecordID": 129831,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.880",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\wmiexec_event_vbscripts\\Exec_Command_Silent.vbs",
+      "CreationUtcTime": "2026-04-08 10:58:04.880",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml

@@ -0,0 +1,13 @@
+id: 0f3349c0-c715-462e-bf26-2241a149f20e
+description: N/A
+date: 2026-04-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: efc21479-9e83-41da-8cf1-122e06ba8db3
+      title: HackTool - NetExec File Indicators
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 7
+      path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx

regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json

@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:06.296740Z"
+        }
+      },
+      "EventRecordID": 129837,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:06.267",
+      "ProcessGuid": "0197231E-34BE-69D6-740F-000000000D00",
+      "ProcessId": 17960,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "nxc.exe  smb 192.168.1.1 -u admin -p password123",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000",
+      "LogonId": "0x1f153",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=1E51483B451829355585FCF1C08506A2,SHA256=B42CB4F7C7F085403E2E4FA58DF1F5E781807BC13021EA982BA0ECEA3E97352F,IMPHASH=351592D5EAD6DF0859B0CC0056827C95",
+      "ParentProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ParentProcessId": 12184,
+      "ParentImage": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "ParentCommandLine": "nxc.exe  smb 192.168.1.1 -u admin -p password123",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml

@@ -0,0 +1,13 @@
+id: f44d46f4-9566-4538-b54b-4aa6059f8802
+description: N/A
+date: 2026-04-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7638e5fe-600c-4289-a968-f49dd537ec7d
+      title: HackTool - NetExec Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx

rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml

@@ -0,0 +1,35 @@
+title: HackTool - NetExec File Indicators
+id: efc21479-9e83-41da-8cf1-122e06ba8db3
+status: experimental
+description: |
+    Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
+    NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
+    under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
+    extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
+    Active Directory enumeration, credential harvesting, and remote code execution.
+references:
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-08
+tags:
+    - attack.execution
+    - attack.lateral-movement
+    - attack.discovery
+    - attack.t1021.002
+    - attack.t1059.005
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        - Image|contains: '\nxc-windows-latest\'
+        - TargetFilename|contains|all:
+              - '\Temp\_MEI'
+              - '\nxc\data\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml

rules/windows/process_creation/proc_creation_win_hktl_netexec.yml

@@ -0,0 +1,41 @@
+title: HackTool - NetExec Execution
+id: 7638e5fe-600c-4289-a968-f49dd537ec7d
+status: experimental
+description: |
+    Detects execution of the hacktool NetExec.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
+    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
+    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
+references:
+    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Chirag Damani
+date: 2026-03-29
+tags:
+    - attack.discovery
+    - attack.t1018
+    - attack.lateral-movement
+    - attack.t1021
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\nxc.exe'
+        CommandLine|contains:
+            - ' ftp '
+            - ' ldap '
+            - ' mssql '
+            - ' nfs '
+            - ' rdp '
+            - ' smb '
+            - ' ssh '
+            - ' vnc '
+            - ' winrm '
+            - ' wmi '
+    condition: selection
+falsepositives:
+    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml