NetExec File Creation Detection

hello@craftedsignal.io — Thu, 18 Jan 2024 12:00:00 +0000

NetExec (formerly CrackMapExec) is a widely used post-exploitation tool favored by penetration testers and malicious actors for Active Directory enumeration, credential harvesting, and remote code execution. When executed on a Windows system, NetExec extracts its embedded data files into a temporary directory named “_MEI” followed by a random string, located under the user’s Temp folder. A specific subdirectory, “\nxc\data", within this extraction path contains files unique to NetExec. These file creation events offer a reliable indicator for detecting NetExec execution on a host. This activity is important for defenders as it signals potential reconnaissance, lateral movement attempts, or the establishment of a foothold within the network.

Attack Chain

An attacker gains initial access to a system through various means (e.g., compromised credentials, exploiting a vulnerability).
The attacker uploads the NetExec executable (nxc.exe) to the compromised host.
The attacker executes nxc.exe.
NetExec extracts its embedded data files into a temporary directory. The path follows the pattern: \Temp\_MEI\.
Within the temporary directory, a specific subdirectory \nxc\data\ is created, containing NetExec’s data files.
NetExec utilizes these files for Active Directory enumeration, credential harvesting, and reconnaissance activities.
The attacker leverages gathered information to move laterally within the network, potentially targeting other systems or services.
The attacker may attempt to execute code remotely using harvested credentials, furthering their access and control within the environment.

Impact

Successful NetExec deployment can lead to extensive reconnaissance of Active Directory environments, enabling attackers to map out network infrastructure, identify valuable targets, and harvest credentials. This can result in unauthorized access to sensitive data, lateral movement to critical systems, and ultimately, a complete compromise of the domain. Organizations in all sectors are vulnerable, with the impact ranging from data breaches and financial loss to reputational damage and operational disruption.

Recommendation

Deploy the provided Sigma rule Detect NetExec File Creation to your SIEM to detect NetExec’s unique file creation patterns (logsource: file_event, product: windows).
Monitor file creation events in the \Temp directory for filenames containing _MEI and \nxc\data\, as these indicate NetExec’s extraction process.
Enable process-creation logging with command-line arguments to identify the execution of nxc.exe (logsource: process_creation, product: windows).
Investigate any alerts generated by these rules to determine the extent of the compromise and contain any further lateral movement.

Detection of NetExec Hacktool Execution

hello@craftedsignal.io — Wed, 03 Jan 2024 14:35:00 +0000

NetExec, previously known as CrackMapExec, is a post-exploitation tool commonly used during Active Directory penetration testing. It is also favored by red teams and malicious actors for reconnaissance, lateral movement, and credential harvesting within Windows networks. This tool allows for the enumeration of hosts, exploitation of network services, and remote command execution. The use of NetExec in an enterprise environment is considered suspicious due to its capabilities for identifying vulnerable systems and facilitating unauthorized access. Defenders should monitor for its execution, as it is often a precursor to more serious attacks, including ransomware deployment, such as the Lynx ransomware.

Attack Chain

An attacker gains initial access to a Windows system via an exploit or compromised credentials.
NetExec (nxc.exe) is deployed on the compromised host, often copied to a temporary directory.
NetExec is executed with commands to enumerate network shares and identify potential targets using SMB.
The tool uses LDAP to query Active Directory for user accounts, groups, and organizational units.
NetExec attempts to authenticate to other systems using gathered or compromised credentials via protocols such as SMB, SSH, or RDP.
Successful authentication allows for remote command execution via WMI or WinRM.
The attacker leverages identified vulnerabilities or misconfigurations to escalate privileges on the target systems.
The attacker moves laterally through the network, gaining access to sensitive data or deploying ransomware like Lynx.

Impact

Successful execution of NetExec can lead to widespread compromise within an Active Directory environment. Attackers can identify and exploit vulnerable systems, harvest credentials, and move laterally to gain access to critical assets. This can result in data theft, system disruption, and ransomware deployment, potentially affecting hundreds or thousands of systems depending on the size of the organization. The tool is often used as a precursor to ransomware attacks, where entire networks can be encrypted, leading to significant financial and reputational damage.

Recommendation

Deploy the Sigma rule HackTool - NetExec Execution to your SIEM to detect the execution of NetExec based on process creation logs.
Monitor process creation events for nxc.exe with command-line arguments associated with network protocols like ftp, ldap, mssql, nfs, rdp, smb, ssh, vnc, winrm, and wmi.
Implement strict access controls and regularly audit Active Directory to minimize the potential for lateral movement.
Consider using application control solutions to prevent the execution of unauthorized tools like nxc.exe.

Post-Exploitation — CraftedSignal Threat Feed

NetExec File Creation Detection

Attack Chain

Impact

Recommendation

Detection of NetExec Hacktool Execution

Attack Chain

Impact

Recommendation