HackTool - NetExec Execution
Detects execution of the hacktool NetExec. NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems. Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
Image|endswith: '\nxc.exe'
CommandLine|contains:
- ' ftp '
- ' ldap '
- ' mssql '
- ' nfs '
- ' rdp '
- ' smb '
- ' ssh '
- ' vnc '
- ' winrm '
- ' wmi '
condition: selectionLegitimate use of NetExec by security professionals or system administrators for network assessment and management.