Sigma Rule Update (2026-04-23 20:46:08) (#1020)

Co-authored-by: hach1yon <hach1yon@users.noreply.github.com>

Author: github-actions[bot]

sigma/builtin/process_creation/proc_creation_win_hktl_netexec.yml

@@ -0,0 +1,48 @@
+title: HackTool - NetExec Execution
+id: 837269f1-83f1-229a-c835-4371ad44e510
+related:
+    - id: 7638e5fe-600c-4289-a968-f49dd537ec7d
+      type: derived
+status: experimental
+description: |
+    Detects execution of the hacktool NetExec.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
+    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
+    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
+references:
+    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Chirag Damani
+date: 2026-03-29
+tags:
+    - attack.discovery
+    - attack.t1018
+    - attack.lateral-movement
+    - attack.t1021
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection:
+        CommandLine|contains:
+            - ' ftp '
+            - ' ldap '
+            - ' mssql '
+            - ' nfs '
+            - ' rdp '
+            - ' smb '
+            - ' ssh '
+            - ' vnc '
+            - ' winrm '
+            - ' wmi '
+        NewProcessName|endswith: \nxc.exe
+    condition: process_creation and selection
+falsepositives:
+    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml
+ruletype: Sigma

sigma/builtin/process_creation/proc_creation_win_python_base64_encoded_execution.yml

@@ -0,0 +1,51 @@
+title: Python One-Liners with Base64 Decoding
+id: 89d785d7-fec2-209e-53a3-19a670b7e0ea
+related:
+    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
+      type: similar
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      type: derived
+status: experimental
+description: |
+    Detects Python one-liners that use base64 decoding functions in command line executions.
+    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
+references:
+    - https://docs.python.org/3/library/base64.html
+    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-09
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - attack.defense-evasion
+    - attack.t1027.010
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 4688
+        Channel: Security
+    selection_img:
+        - NewProcessName|contains: \python
+        - OriginalFileName|contains: python
+    selection_cli:
+        CommandLine|contains|all:
+            - import
+            - base64
+            - ' -c'
+        CommandLine|contains:
+            - .decode
+            - b16decode
+            - b32decode
+            - b32hexdecode
+            - b64decode
+            - b85decode
+            - z85decode
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
+ruletype: Sigma

sigma/sysmon/file/file_event/file_event_win_hktl_netexec_file_indicators.yml

@@ -0,0 +1,43 @@
+title: HackTool - NetExec File Indicators
+id: bfafc85b-b7a8-f884-6231-10607569111e
+related:
+    - id: efc21479-9e83-41da-8cf1-122e06ba8db3
+      type: derived
+status: experimental
+description: |
+    Detects file creation events indicating NetExec (nxc.exe) execution on the local machine.
+    NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI<random>" directory
+    under the Temp folder upon execution. Files dropped under the "\nxc\" sub-directory of that
+    extraction path are unique to NetExec and serve as reliable on-disk indicators of execution.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for
+    Active Directory enumeration, credential harvesting, and remote code execution.
+references:
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-08
+tags:
+    - attack.execution
+    - attack.lateral-movement
+    - attack.discovery
+    - attack.t1021.002
+    - attack.t1059.005
+    - sysmon
+logsource:
+    product: windows
+    category: file_event
+detection:
+    file_event:
+        EventID: 11
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        - Image|contains: \nxc-windows-latest\
+        - TargetFilename|contains|all:
+              - \Temp\_MEI
+              - \nxc\data\
+    condition: file_event and selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_hktl_netexec_file_indicators/info.yml
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_hktl_netexec.yml

@@ -0,0 +1,49 @@
+title: HackTool - NetExec Execution
+id: bf950c44-b573-6c09-c1cc-45745bded2bc
+related:
+    - id: 7638e5fe-600c-4289-a968-f49dd537ec7d
+      type: derived
+status: experimental
+description: |
+    Detects execution of the hacktool NetExec.
+    NetExec (formerly CrackMapExec) is a widely used post-exploitation tool designed for Active Directory penetration testing and network enumeration
+    In enterprise environments, the use of NetExec is considered suspicious or potentially malicious because it enables attackers to enumerate hosts, exploit network services, and move laterally across systems.
+    Threat actors and red teams commonly use NetExec to identify vulnerable systems, harvest credentials, and execute commands remotely.
+references:
+    - https://thedfirreport.com/2025/12/17/cats-got-your-files-lynx-ransomware/
+    - https://github.com/Pennyw0rth/NetExec
+    - https://www.netexec.wiki/
+author: Chirag Damani
+date: 2026-03-29
+tags:
+    - attack.discovery
+    - attack.t1018
+    - attack.lateral-movement
+    - attack.t1021
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection:
+        Image|endswith: \nxc.exe
+        CommandLine|contains:
+            - ' ftp '
+            - ' ldap '
+            - ' mssql '
+            - ' nfs '
+            - ' rdp '
+            - ' smb '
+            - ' ssh '
+            - ' vnc '
+            - ' winrm '
+            - ' wmi '
+    condition: process_creation and selection
+falsepositives:
+    - Legitimate use of NetExec by security professionals or system administrators for network assessment and management.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_hktl_netexec/info.yml
+ruletype: Sigma

sigma/sysmon/process_creation/proc_creation_win_python_base64_encoded_execution.yml

@@ -0,0 +1,52 @@
+title: Python One-Liners with Base64 Decoding
+id: 23f449fe-55a7-4f4f-7026-aed63cfaab29
+related:
+    - id: 55e862a8-dd9c-4651-807a-f21fcad56716
+      type: similar
+    - id: 50a0aa3d-ab16-4594-a8aa-5145a6e6792b
+      type: derived
+status: experimental
+description: |
+    Detects Python one-liners that use base64 decoding functions in command line executions.
+    Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.
+references:
+    - https://docs.python.org/3/library/base64.html
+    - https://www.virustotal.com/gui/file/bc43e925d7b4b74319f6e74e836a96f1997ba404e14ac566cf12a21e9da463db/behavior
+    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
+author: Hugh Ryan (HueCodes), Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-03-09
+tags:
+    - attack.execution
+    - attack.t1059.006
+    - attack.defense-evasion
+    - attack.t1027.010
+    - sysmon
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    process_creation:
+        EventID: 1
+        Channel: Microsoft-Windows-Sysmon/Operational
+    selection_img:
+        - Image|contains: \python
+        - OriginalFileName|contains: python
+    selection_cli:
+        CommandLine|contains|all:
+            - import
+            - base64
+            - ' -c'
+        CommandLine|contains:
+            - .decode
+            - b16decode
+            - b32decode
+            - b32hexdecode
+            - b64decode
+            - b85decode
+            - z85decode
+    condition: process_creation and (all of selection_*)
+falsepositives:
+    - Legitimate use of Python for decoding data, which is uncommon in typical enterprise environments but possible in development or data analysis contexts.
+level: high
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_python_base64_encoded_execution/info.yml
+ruletype: Sigma