← Back to SOC feed Coverage →

HackTool - NetExec Execution

sigma HIGH SigmaHQ
T1018T1021
imProcessCreate
backdoorcredential-theftexploit
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-04-24T09:00:00Z · Confidence: low

Hunt Hypothesis

Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterpri

Detection Rule

Sigma (Original)

title: HackTool - NetExec Execution
id: 7638e5fe-600c-4289-a968-f49dd537ec7d
status: experimental
description: |
    Detects execution of the hacktool NetExec.
    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
references:
    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
    - https://github.com/Pennyw0rth/NetExec
    - https://www.netexec.wiki/
author: Chirag Damani
date: 2026-03-29
tags:
    - attack.discovery
    - attack.t1018
    - attack.lateral-movement
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\nxc.exe'
        CommandLine|contains:
            - ' ftp '
            - ' ldap '
            - ' mssql '
            - ' nfs '
            - ' rdp '
            - ' smb '
            - ' ssh '
            - ' vnc '
            - ' winrm '
            - ' wmi '
    condition: selection
falsepositives:
    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\nxc.exe" and (TargetProcessCommandLine contains " ftp " or TargetProcessCommandLine contains " ldap " or TargetProcessCommandLine contains " mssql " or TargetProcessCommandLine contains " nfs " or TargetProcessCommandLine contains " rdp " or TargetProcessCommandLine contains " smb " or TargetProcessCommandLine contains " ssh " or TargetProcessCommandLine contains " vnc " or TargetProcessCommandLine contains " winrm " or TargetProcessCommandLine contains " wmi ")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_hktl_netexec.yml