Title:HackTool - NetExec File Indicators Status:experimental Description:Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
Active Directory enumeration, credential harvesting, and remote code execution.
References: -https://github.com/Pennyw0rth/NetExec -https://www.netexec.wiki/ Author: Swachchhanda Shrawan Poudel (Nextron Systems) Date: 2026-04-08 modified:None Tags:
