Merge PR #5922 from @CHIRAG-DAMANI-08 - Hacktool - NetExec Execution

new: HackTool - NetExec File Indicators
new: Hacktool - NetExec Execution
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

Author: 3 people

regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx

@@ -0,0 +1,357 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.850672Z"
+        }
+      },
+      "EventRecordID": 129825,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.846",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\keepass_trigger_module\\RestartKeePass.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.846",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.850722Z"
+        }
+      },
+      "EventRecordID": 129826,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.848",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\msol_dump\\entra-sync-creds.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.848",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.864253Z"
+        }
+      },
+      "EventRecordID": 129827,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.850",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\ntds-dump-raw\\ntds-dump-raw.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.850",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.864398Z"
+        }
+      },
+      "EventRecordID": 129828,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "EXE",
+      "UtcTime": "2026-04-08 10:58:04.860",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\procdump\\procdump.exe",
+      "CreationUtcTime": "2026-04-08 10:58:04.860",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.880069Z"
+        }
+      },
+      "EventRecordID": 129829,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.876",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_mssql.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.876",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.880098Z"
+        }
+      },
+      "EventRecordID": 129830,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.876",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\veeam_dump_module\\veeam_dump_postgresql.ps1",
+      "CreationUtcTime": "2026-04-08 10:58:04.876",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 11,
+      "Version": 2,
+      "Level": 4,
+      "Task": 11,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-08T10:58:04.888584Z"
+        }
+      },
+      "EventRecordID": 129831,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 4584,
+          "ThreadID": 5116
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-08 10:58:04.880",
+      "ProcessGuid": "0197231E-34BB-69D6-730F-000000000D00",
+      "ProcessId": 12184,
+      "Image": "C:\\Users\\xodih\\Downloads\\nxc-windows-latest\\nxc.exe",
+      "TargetFilename": "C:\\Users\\xodih\\AppData\\Local\\Temp\\_MEI121842\\nxc\\data\\wmiexec_event_vbscripts\\Exec_Command_Silent.vbs",
+      "CreationUtcTime": "2026-04-08 10:58:04.880",
+      "User": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.json

@@ -0,0 +1,13 @@
+id: 0f3349c0-c715-462e-bf26-2241a149f20e
+description: N/A
+date: 2026-04-08
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: efc21479-9e83-41da-8cf1-122e06ba8db3
+      title: HackTool - NetExec File Indicators
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 7
+      path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/efc21479-9e83-41da-8cf1-122e06ba8db3.evtx