HackTool - NetExec File Indicators

Rule Info

Name
HackTool - NetExec File Indicators
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for Active Directory enumeration, credential harvesting, and remote code execution.
Reference
https://github.com/Pennyw0rth/NetExec
Date
2026-04-08 00:00:00
Modified
None
Id
efc21479-9e83-41da-8cf1-122e06ba8db3
Tags
attack.execution attack.lateral-movement attack.discovery attack.t1021.002 attack.t1059.005
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=efc21479-9e83-41da-8cf1-122e06ba8db3

Rule History

Author
Title
Date
Commit
Chirag
Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution
2026-04-23
03412947a
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022