diff --git a/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx new file mode 100644 index 000000000..b74f1bb7c Binary files /dev/null and b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx differ diff --git a/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json new file mode 100644 index 000000000..9d8f85543 --- /dev/null +++ b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json @@ -0,0 +1,357 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.850672Z" + } + }, + "EventRecordID": 129825, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:04.846", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\keepass_trigger_module\\RestartKeePass.ps1", + "CreationUtcTime": "2026-04-08 10:58:04.846", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.850722Z" + } + }, + "EventRecordID": 129826, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:04.848", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\msol_dump\\entra-sync-creds.ps1", + "CreationUtcTime": "2026-04-08 10:58:04.848", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.864253Z" + } + }, + "EventRecordID": 129827, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:04.850", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\ntds-dump-raw\\ntds-dump-raw.ps1", + "CreationUtcTime": "2026-04-08 10:58:04.850", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.864398Z" + } + }, + "EventRecordID": 129828, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "EXE", + "UtcTime": "2026-04-08 10:58:04.860", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\procdump\\procdump.exe", + "CreationUtcTime": "2026-04-08 10:58:04.860", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.880069Z" + } + }, + "EventRecordID": 129829, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:04.876", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_mssql.ps1", + "CreationUtcTime": "2026-04-08 10:58:04.876", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.880098Z" + } + }, + "EventRecordID": 129830, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:04.876", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_postgresql.ps1", + "CreationUtcTime": "2026-04-08 10:58:04.876", + "User": "swachchhanda\\xodih" + } + } +} +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 11, + "Version": 2, + "Level": 4, + "Task": 11, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:04.888584Z" + } + }, + "EventRecordID": 129831, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:04.880", + "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ProcessId": 12184, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\wmiexec_event_vbscripts\\Exec_Command_Silent.vbs", + "CreationUtcTime": "2026-04-08 10:58:04.880", + "User": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml new file mode 100644 index 000000000..a9322e2d2 --- /dev/null +++ b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml @@ -0,0 +1,13 @@ +id: 0f3349c0-c715-462e-bf26-2241a149f20e +description: N/A +date: 2026-04-08 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: efc21479-9e83-41da-8cf1-122e06ba8db3 + title: HackTool - NetExec File Indicators +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 7 + path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx new file mode 100644 index 000000000..cc1daf2d4 Binary files /dev/null and b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx differ diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json new file mode 100644 index 000000000..c939903f2 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json @@ -0,0 +1,66 @@ +{ + "Event": { + "#attributes": { + "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event" + }, + "System": { + "Provider": { + "#attributes": { + "Name": "Microsoft-Windows-Sysmon", + "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9" + } + }, + "EventID": 1, + "Version": 5, + "Level": 4, + "Task": 1, + "Opcode": 0, + "Keywords": "0x8000000000000000", + "TimeCreated": { + "#attributes": { + "SystemTime": "2026-04-08T10:58:06.296740Z" + } + }, + "EventRecordID": 129837, + "Correlation": null, + "Execution": { + "#attributes": { + "ProcessID": 4584, + "ThreadID": 5116 + } + }, + "Channel": "Microsoft-Windows-Sysmon/Operational", + "Computer": "swachchhanda", + "Security": { + "#attributes": { + "UserID": "S-1-5-18" + } + } + }, + "EventData": { + "RuleName": "-", + "UtcTime": "2026-04-08 10:58:06.267", + "ProcessGuid": "0197231E-34BE-69D6-740F-000000000D00", + "ProcessId": 17960, + "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "FileVersion": "-", + "Description": "-", + "Product": "-", + "Company": "-", + "OriginalFileName": "-", + "CommandLine": "nxc.exe smb 192.168.1.1 -u admin -p password123", + "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\", + "User": "swachchhanda\\xodih", + "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000", + "LogonId": "0x1f153", + "TerminalSessionId": 1, + "IntegrityLevel": "Medium", + "Hashes": "MD5=1E51483B451829355585FCF1C08506A2,SHA256=B42CB4F7C7F085403E2E4FA58DF1F5E781807BC13021EA982BA0ECEA3E97352F,IMPHASH=351592D5EAD6DF0859B0CC0056827C95", + "ParentProcessGuid": "0197231E-34BB-69D6-730F-000000000D00", + "ParentProcessId": 12184, + "ParentImage": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe", + "ParentCommandLine": "nxc.exe smb 192.168.1.1 -u admin -p password123", + "ParentUser": "swachchhanda\\xodih" + } + } +} diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml new file mode 100644 index 000000000..8ca556a26 --- /dev/null +++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml @@ -0,0 +1,13 @@ +id: f44d46f4-9566-4538-b54b-4aa6059f8802 +description: N/A +date: 2026-04-08 +author: Swachchhanda Shrawan Poudel (Nextron Systems) +rule_metadata: + - id: 7638e5fe-600c-4289-a968-f49dd537ec7d + title: HackTool - NetExec Execution +regression_tests_info: + - name: Positive Detection Test + type: evtx + provider: Microsoft-Windows-Sysmon + match_count: 1 + path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx diff --git a/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml new file mode 100644 index 000000000..ceb1f06f2 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml @@ -0,0 +1,35 @@ +title: HackTool - NetExec File Indicators +id: efc21479-9e83-41da-8cf1-122e06ba8db3 +status: experimental +description: | + Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. + NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI" directory + under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that + extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. + NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for + Active Directory enumeration, credential harvesting, and remote code execution. +references: + - https://github.com/Pennyw0rth/NetExec + - https://www.netexec.wiki/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2026-04-08 +tags: + - attack.execution + - attack.lateral-movement + - attack.discovery + - attack.t1021.002 + - attack.t1059.005 +logsource: + product: windows + category: file_event +detection: + selection: + - Image|contains: '\nxc-windows-latest\' + - TargetFilename|contains|all: + - '\Temp\_MEI' + - '\nxc\data\' + condition: selection +falsepositives: + - Unknown +level: high +regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml diff --git a/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml b/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml new file mode 100644 index 000000000..21c63c41f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml @@ -0,0 +1,41 @@ +title: HackTool - NetExec Execution +id: 7638e5fe-600c-4289-a968-f49dd537ec7d +status: experimental +description: | + Detects execution of the hacktool NetExec. + NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration + In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. + Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely. +references: + - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/ + - https://github.com/Pennyw0rth/NetExec + - https://www.netexec.wiki/ +author: Chirag Damani +date: 2026-03-29 +tags: + - attack.discovery + - attack.t1018 + - attack.lateral-movement + - attack.t1021 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\nxc.exe' + CommandLine|contains: + - ' ftp ' + - ' ldap ' + - ' mssql ' + - ' nfs ' + - ' rdp ' + - ' smb ' + - ' ssh ' + - ' vnc ' + - ' winrm ' + - ' wmi ' + condition: selection +falsepositives: + - Legitimate use of NetExec by security professionals or system administrators for network assessment and management. +level: high +regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml