NetExec File Creation Detection

NetExec (formerly CrackMapExec) is a widely used post-exploitation tool favored by penetration testers and malicious actors for Active Directory enumeration, credential harvesting, and remote code execution. When executed on a Windows system, NetExec extracts its embedded data files into a temporary directory named “_MEI” followed by a random string, located under the user’s Temp folder. A specific subdirectory, “\nxc\data", within this extraction path contains files unique to NetExec. These file creation events offer a reliable indicator for detecting NetExec execution on a host. This activity is important for defenders as it signals potential reconnaissance, lateral movement attempts, or the establishment of a foothold within the network.

Attack Chain

1. An attacker gains initial access to a system through various means (e.g., compromised credentials, exploiting a vulnerability).
2. The attacker uploads the NetExec executable (nxc.exe) to the compromised host.
3. The attacker executes nxc.exe.
4. NetExec extracts its embedded data files into a temporary directory. The path follows the pattern: \Temp\_MEI<random>\.
5. Within the temporary directory, a specific subdirectory \nxc\data\ is created, containing NetExec’s data files.
6. NetExec utilizes these files for Active Directory enumeration, credential harvesting, and reconnaissance activities.
7. The attacker leverages gathered information to move laterally within the network, potentially targeting other systems or services.
8. The attacker may attempt to execute code remotely using harvested credentials, furthering their access and control within the environment.

Impact

Successful NetExec deployment can lead to extensive reconnaissance of Active Directory environments, enabling attackers to map out network infrastructure, identify valuable targets, and harvest credentials. This can result in unauthorized access to sensitive data, lateral movement to critical systems, and ultimately, a complete compromise of the domain. Organizations in all sectors are vulnerable, with the impact ranging from data breaches and financial loss to reputational damage and operational disruption.

Recommendation

• Deploy the provided Sigma rule Detect NetExec File Creation to your SIEM to detect NetExec’s unique file creation patterns (logsource: file_event, product: windows).
• Monitor file creation events in the \Temp directory for filenames containing _MEI and \nxc\data\, as these indicate NetExec’s extraction process.
• Enable process-creation logging with command-line arguments to identify the execution of nxc.exe (logsource: process_creation, product: windows).
• Investigate any alerts generated by these rules to determine the extent of the compromise and contain any further lateral movement.