From 03412947a2d653ca1398db62a51d2de9da96b361 Mon Sep 17 00:00:00 2001
From: Chirag <damanichiru38@gmail.com>
Date: Thu, 23 Apr 2026 18:32:24 +0530
Subject: [PATCH] Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec
 Execution

new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../efc21479-9e83-41da-8cf1-122e06ba8db3.evtx | Bin 0 -> 69632 bytes
 .../efc21479-9e83-41da-8cf1-122e06ba8db3.json | 357 ++++++++++++++++++
 .../info.yml                                  |  13 +
 .../7638e5fe-600c-4289-a968-f49dd537ec7d.evtx | Bin 0 -> 69632 bytes
 .../7638e5fe-600c-4289-a968-f49dd537ec7d.json |  66 ++++
 .../proc_creation_win_hktl_netexec/info.yml   |  13 +
 ...event_win_hktl_netexec_file_indicators.yml |  35 ++
 .../proc_creation_win_hktl_netexec.yml        |  41 ++
 8 files changed, 525 insertions(+)
 create mode 100644 regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx
 create mode 100644 regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json
 create mode 100644 regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json
 create mode 100644 regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml
 create mode 100644 rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml
 create mode 100644 rules/windows/process_creation/proc_creation_win_hktl_netexec.yml

diff --git a/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..b74f1bb7cedf7cd96076dc7a9262d728eea27095
GIT binary patch
literal 69632
zcmeI2du&_P9mjw7+P-m|*iJy*gF)99k5+P;b`1+@r!`ArK(x@;C<segXq?tGwzJx$
z?K)|N4NaTG20}cfB82#df)Em7LkOlJRRT2r03lvunx;(?8r!5v-BdBeB=7q>_Z-)C
zlBEt5Da-d*_C5EU-+A26?{Ut#$;jkHwlJBO<`lOD$8hx}BGTnGi+t+)H}4OYeCkfv
z0SS-*36KB@kN^pg011!)36KB@kieV-MkXhQ_LcUFJKeY07R~p^P~P<wk<Cj*c7O2E
z59aK64gu{yecu;;(I|FFAd<j~hkwOHK8!Zjh^$BXH}D#w)%5xtZGM6=HC=)+HGO2|
zpR(mzb{u6BP4oFC?*Hv;t;j`9V-#&)TK9y_Z-s0YeZJ7tkIKv^U1rDrvs2i7IzgK?
zYeY`8OI`na-uljc*;jw>r9DqNy+3UH#|bx*=CAnc@f|Dv^xL<OJ<<L6J$Mq88tj%I
zA*&Cl>4naijL7Yhmy%R*|6_cE+ic~p(lI$KMVUlp1r;%`Pxe8qDpN8bYw@Yb9+c!E
zGlqN*t_74FkTUMdG6BgR+?P?lRt}-AgzI|g#b*O@z0!~0e0})JS$DoytGx|fIlYy4
z1+r6)py#R?5pTK%Yqgs(FQ?H{N8_^1jD9=D8i&*Y)Lw~i)*0h<_ebS=Oty$hkyJ{&
z;3jJitCvLOYB^|HqAD%v$Y4aaLhO51;`CTs1FUOh7<HH98>q=?H>-b_knQMV49E(2
z{DPT+qDw_3@KX^9qF#rrK!LOLFSWPHjaIAxQYF;+sSb%o;dAibx`~g!9+NE)R9#IP
zAyFY;F2>Ep)=o!`MrD`L#eO5=>wumt!;QLtrl*$%asw2oYEeWwoToj-WEF0l=iK&2
zT&_d)5$LT9j^p62qA^(#1@>*Yx!3l%@n;<vv|yMHK{SsEsEWoRWALaKsZDJ<nm9{?
zt`YDA(jD;<u$D8iBpXRK(B6R#b;>%Eki4HtNJ8gw7aF;M@Yp{)WXOo=JSNRd9M&A<
zvRUiliBky~M2}TWT&<;wCk^{ewMjbAprC5+d%0V5=&&b!rdb*#)m&<|BF1n*<oRE=
z;{gtvi61lrh3dUV=K*bs&L#0)yS3Rp5Uk*1XAzfpprKV&d)HNQ5Z-6mIsmD5iATIH
zV@?{3HT@7KIt0lv7*fg1Tb0%&Uev4AHbFq6nksH%DQ-X&VG26A&{zDJ*NG_{LVI;=
z{f2#wqeNMM3thM%{Af=c>QuEH#LPm3B433>;NtPbmO#FZ4z+jtT%B@ZB%11$<x#l+
zqA)%4g{9)nb@&u<St4=iMlDPnIsL{ZVdT)<l=tGUOVV-;uCGRxL#6{Cn~u4-_#ry^
z4;n20BwQhVID@8`4!sp~K08=tWH-u6&~h0JDw470TEu-xM*F9BuQ~b0p_jG<rwc#-
z<o#CLuQh(BDAYeftJFvl2Jeqwd1S9!9yFirUwQK#-+yNFsYkA_oy4qF3OalaSzUEC
z4d1B-=7RUI>2?g|8W*p^RaarPv!9luh*dhM)_xh^K;vP|i^H}LVg~toO!Sjbi7NV1
z+y0AZq}!m%Du_9^^^=&9%4V#rQGM8RN0U*z!0IP`No$+cwhcBZZZ^{$VO;!VMB*yH
z+{&x=?d)SPDP4H>V*Y*-W~6dovvN9rE0;1M@qm%5N*3hxiA!jytAL-3g)RGROB1rf
zr%1y^Ts#Z))l47=+v<}mZM9iDYP4?nezFZxYQ#_t%(cgwu9i$7|7%;e3fGKT9@k^h
z%9uq`fBR*btiyFc`j8(m<vqx4fYj2J4|*?dc(+hVqjO2hLu&<d9*|sp^a}EaVZY;e
z?tRD)8`~~{K^X)ztmnYuF!Y+SOY|A*cTrE5Tqo57W*XD}_b7u1D^qo&%VFgzV+6JK
z9JHYuhAHGm;e#X4;yOI_I`c&9>*M4wx6ovBvL7w-XrY^o3R+c7yxD6sdI0z8pX1h&
zb0%KvjK?5VHH%mt))=<!K`#|EUN6QxSIV<R#744$u{2)fb$_P&v@W=q-AKtT@65DM
z`>f*MdtP(=bK|-Aw_@SMzuCOx#Js(vf01}e5tdzshm9Iv2t6#^*XxRtLG2NEy85}U
zdb*d<Eqm+!(2sUA?-0)R2R$_S$%OiW^9N*2`r8M$&Tww|to-5qY5w5GbN;Y$;rqjr
z^Yn*4tRIVG)zA~I+IXh!4;k3~7;IP9vf1id_Xs6=ZXRK5-}!_7n+7)GCf)t_^XU)2
zndT2}Jm(Lq7M4F?*EMYy^+1C^jL1#cSLlm|b6exDTr@s01rN}jnC_Os6{5Ms?eAKn
z*Mj}4-RpX=3|AaZOnUZ){CQjt{xZ$}-FVLaFI`ynKhr7V`3C!M<rMMtMRSVKgR;Jx
zDmLtpn$Hfi$>_P`yVzT`zB(x1R=mUbh5E-8@DKY|N8Z_XKK<j=H2-kpIsdq9;rqu)
z`o|on?AdI;@oYV_%oNrXJ#p_f=ZeqCQ`A4yPkM1}v+KzAhbPYCI`Z)}KXKzZKe>G2
z`^jtb^ppNYvxho_6-58C6TaCWMNYj!PZXob-3m|8^K}6y>nifO`riOX?F)B(XQ}U)
zNAb4Ey^GX8l!a~2ecz?TTUc4tPnbx61W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14c
zNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-L
zfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@
z1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq-LfCNZ@1W14cNPq<X9|&|xSHoj$
kLVmL^Qjz^KAVX4?qD;w{RAm=_wRETCako>3C5w{(0u|P>ga7~l

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json
new file mode 100644
index 000000000..9d8f85543
--- /dev/null
+++ b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json
@@ -0,0 +1,357 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.850672Z"
+        }
+      },
+      "EventRecordID": 129825,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.846",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\keepass_trigger_module\\RestartKeePass.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.846",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.850722Z"
+        }
+      },
+      "EventRecordID": 129826,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.848",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\msol_dump\\entra-sync-creds.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.848",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.864253Z"
+        }
+      },
+      "EventRecordID": 129827,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.850",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\ntds-dump-raw\\ntds-dump-raw.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.850",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.864398Z"
+        }
+      },
+      "EventRecordID": 129828,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "EXE",
+      "UtcTime": "2026-04-08 10:58:04.860",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\procdump\\procdump.exe",
+      "CreationUtcTime": "2026-04-08 10:58:04.860",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.880069Z"
+        }
+      },
+      "EventRecordID": 129829,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.876",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_mssql.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.876",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.880098Z"
+        }
+      },
+      "EventRecordID": 129830,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.876",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_postgresql.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.876",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.888584Z"
+        }
+      },
+      "EventRecordID": 129831,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.880",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\wmiexec_event_vbscripts\\Exec_Command_Silent.vbs",
+      "CreationUtcTime": "2026-04-08 10:58:04.880",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
new file mode 100644
index 000000000..a9322e2d2
--- /dev/null
+++ b/regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
@@ -0,0 +1,13 @@
+id: 0f3349c0-c715-462e-bf26-2241a149f20e
+description: N/A
+date: 2026-04-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: efc21479-9e83-41da-8cf1-122e06ba8db3
+      title: HackTool - NetExec File Indicators
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 7
+      path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx
new file mode 100644
index 0000000000000000000000000000000000000000..cc1daf2d4ea2b19f3561d054ad6b04eb581b1016
GIT binary patch
literal 69632
zcmeI0U2I%O701uLyL-J}dw1=orhFv9X$v%=c5Ek3*GU7i*Ip88L+A%>rJ`bDJKok_
zM_s!~8iXRCLgAsMQV~dfK?n(o5N}9TKp-KZikBjxihii7ig+n6NTI3#1!VsJxiend
z#7Ww!JpJ$L?wyY_XU_c2nKO5HVqvaUUzoMcSL_?k;Tc=TtSj0q@}BFX|GM<4_pC$;
zL_h>YKm<fU1VlgtL_h>YKm<fU1g=V8Vqva2-+0)<uluc@=coyP3iNiH&2NA1t5;Qg
z6#>q(?Msc@*Ng2)%nEt4w{m80X4m(a4Wa!o{)Tv`*9%t}a~^Z@+JQNF{lm-u%(t`c
z8MMu9vggyN|I`0T^5IQ$EP7oW`>ZcdLAC~+7dGjk%(Y&BX=_P-Jp4h^YI;|tJ$vBO
zvaR{Q@z~*~YtO$Hm7~Zyqt_4p?I&R-mT&p%Gk4zj=a*kR_iXo%zk`)fYP8$Fi6R%s
z>q2MFChSq0wT3OD{w>_eL%#D@<(!?iMO#2;6CJr|*ybU&Y$xrY?Zu~Q$I&tinQ4^!
z@vNie5nDoS$>t#0kNOhY_u47+HSip=0etqOG+-5c&#q11+)#_7)zuf_tKhe#yA!+1
z&Or0Bn-Kv%y1IHl><S*ecs6gx-0Y8Ht{F%@g5CqTYatl#_-@ud2V)n}X;vy(l-%dz
zVRui~K4U9xB)ZC0&WvVk3Sy6WiMOZQ*1<Yz<LLVY?t~#nHM?Ie*cYH;8p!Hce%+Zs
zbfv5%aVcX-HtMh&(GVj2gY9khMK4wdsRsJuQio-;*mFBk2_Zi7Le3^3NM9{DA)`=i
z+fmu><8<O|*6wz`c-V==oG`LpRJa9r{d{L)pN9kK79!$w5jExPW>mt?dFT&$y93>4
z;I}1koB?-==By_R?8i`f%4<CIL<c6VJEm2L&cXn?Xa+J44|fq`>h`mR4IT`GfG4r;
zOjJO$v~o!;Q(Q;;PAH_wv?L`TmkL&(EstYRNC-dtdxuq>80}bamISO1K(1EvJG^kQ
zV588u48s{M%UEfux723kgh_#JAO2mpaq3hP*R;i;BEw~MbrExfB=X!Z+OdGs&hQmC
zQR?0!v;*EW+ERF_-N)>42sZKYR^%<8FtyUPkB{U*c;2%O07~ta&qQ4=oS2MxeFGs{
zh2%5>sp0IV)4D9mMysn#-^^-s+@VI^fm%c;(71H3#JQ*wCY-`}ZfxGEt{JqD^%zuy
zB>aQ^JlsjQtiZAqq1i_vk%W9aH<{QyP)O~5U7fZqlPz`IuB=@LQG}km5ve$^(pBWG
z$MS}w3s)8;-gzrHIShC01E_Ub*^b~j(Z0)R38$f*3wiNPDET)A^j%8(a@Y*Ka-4b!
zHg8N;eReO}8u0QG7&NWVhwCEh4STS1^4>kaeWUuD$>i<&lb2q3r{nj!eMc1BA8AxF
zQ>4lJYe$zW;mBaQ<M^QmqtBjy{y+Ep^!nG~FiOFPe?*a|F0b*gGr&Uf9(QV|(ayX$
zf+tU5#@V-*vdC4Ol)WFqoiHEfqC8@I1s2S%<;1uMm(bB4^W$%5Nw>k3%ODoEZCr#!
zl<o7f&h@G0j!i)w5^G$Ht;{jI{g{um^#AWhn6bE+u{`B>d3k!@Tc1Nn@!&ZD`{N?Q
zXiHmapv_foOtf(^cZD(IkmvEn$UeE|ueg|8flqq)%z!BqOI&Qbf-JKXHy?NE8OY{S
z+1va&$;Yp=3voj$PT+1pe!;?e!buhv+pn;abS9EwWKTLRB!&$|Vwat<>h?5qDBlal
zF@|NXiYb`(cBG@}bH*8WtG741w&mkuXDW4BZ%;zk3AeLa(SbBdn=TuDE%~EZM_eqW
zM^T9MPqr-RMvQWw@pU96#yrL3n(n%Ed^wG*eSQU;)32a}$l|(ZVPD8>t+O{SGM~cA
zoBYV0*2n}2iLXL@DQd#T?o{%!HXegyAe=@{I09Ncu1k3g`<dKvn(nYNcGy<q)Aemj
z*SE#)Y>i#Ni>|*$d$)?Io^(8Y!Km2LB2(C4Z#Wd<;s-DyYfLjSQhC2m>rDA`D6?(z
z{bjV>hx=ySJOX%JP#&>ndypmB7RFPSa((W#a|kbkeeUIx-xce%K|BxIFv<r}I)M2p
zbDQnF>3h+y_y4KBjF)Y*qTNz69G3^}fwkCfqI??BJA;^-M|m9OQ;3=cJg3ph{sttD
zW5)E=w{@z7w+X(=2C05T4Br*{);{Uz(B2Dcn~3PIIIBlsXFsez0L%I0-HVYc_~z_s
z<g?`@T9{=R{oz$^5Tp0KZ|m9W{b4;X^1bk*-`DTD7!k0ACu>unK&mTP#T2*>+hMG3
z0?$GGY^cEUF+5qTU>zf<54%qV-!-hNhMubP@38afD5P%1Nqz+HZbOhc0DaUj1Svji
z@OKq=&5zlS=RV9ggqyvi7*l~A)LTP&0<sl1`v6K~7&{300m#$JQCLK~#!wnSz3SSi
zZv@h`bqHE+MTVKej-XAn?6B(@L@zzdHB-|#Y~{R+RrZXbRK<rsptugsL)%ACBhg<X
zVw*l<zrXkY6|wJkoL);jA#C`&SeFQhfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P
zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
z2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0P
zh=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)
zfCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y2#A0Ph=2%)fCz|y
S2#A0Ph=2%)fCz{{O5nf1yIuSM

literal 0
HcmV?d00001

diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json
new file mode 100644
index 000000000..c939903f2
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.json
@@ -0,0 +1,66 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:06.296740Z"
+        }
+      },
+      "EventRecordID": 129837,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:06.267",
+      "ProcessGuid": "0197231E-34BE-69D6-740F-000000000D00",
+      "ProcessId": 17960,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "nxc.exe  smb 192.168.1.1 -u admin -p password123",
+      "CurrentDirectory": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-A4BA-69C9-53F1-010000000000",
+      "LogonId": "0x1f153",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=1E51483B451829355585FCF1C08506A2,SHA256=B42CB4F7C7F085403E2E4FA58DF1F5E781807BC13021EA982BA0ECEA3E97352F,IMPHASH=351592D5EAD6DF0859B0CC0056827C95",
+      "ParentProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ParentProcessId": 12184,
+      "ParentImage": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "ParentCommandLine": "nxc.exe  smb 192.168.1.1 -u admin -p password123",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
diff --git a/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml
new file mode 100644
index 000000000..8ca556a26
--- /dev/null
+++ b/regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml
@@ -0,0 +1,13 @@
+id: f44d46f4-9566-4538-b54b-4aa6059f8802
+description: N/A
+date: 2026-04-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7638e5fe-600c-4289-a968-f49dd537ec7d
+      title: HackTool - NetExec Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 1
+      path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/7638e5fe-600c-4289-a968-f49dd537ec7d.evtx
diff --git a/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml
new file mode 100644
index 000000000..ceb1f06f2
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators.yml
@@ -0,0 +1,35 @@
+title: HackTool - NetExec File Indicators
+id: efc21479-9e83-41da-8cf1-122e06ba8db3
+status: experimental
+description: |
+    Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
+    NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
+    under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
+    extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
+    Active Directory enumeration, credential harvesting, and remote code execution.
+references:
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-08
+tags:
+    - attack.execution
+    - attack.lateral-movement
+    - attack.discovery
+    - attack.t1021.002
+    - attack.t1059.005
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection:
+        - Image|contains: '\nxc-windows-latest\'
+        - TargetFilename|contains|all:
+              - '\Temp\_MEI'
+              - '\nxc\data\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml b/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml
new file mode 100644
index 000000000..21c63c41f
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml
@@ -0,0 +1,41 @@
+title: HackTool - NetExec Execution
+id: 7638e5fe-600c-4289-a968-f49dd537ec7d
+status: experimental
+description: |
+    Detects execution of the hacktool NetExec.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
+    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
+    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
+references:
+    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Chirag Damani
+date: 2026-03-29
+tags:
+    - attack.discovery
+    - attack.t1018
+    - attack.lateral-movement
+    - attack.t1021
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\nxc.exe'
+        CommandLine|contains:
+            - ' ftp '
+            - ' ldap '
+            - ' mssql '
+            - ' nfs '
+            - ' rdp '
+            - ' smb '
+            - ' ssh '
+            - ' vnc '
+            - ' winrm '
+            - ' wmi '
+    condition: selection
+falsepositives:
+    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml