Hide Navigation
Hide TOC
Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI" directory
under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
Active Directory enumeration, credential harvesting, and remote code execution.