DETECTION OVERVIEW

NetExec Activity

Risk Factors

NetExec is a common attack tool due to its extensive functionality and flexibility. While some NetExec features are relatively low risk, such as network reconnaissance, others features such as lateral movement and credential access are higher risk. Ultimately, unless this activity is part of an authorized security assessment, NetExec activity should be investigated before it enables critical and costly attacks.

Kill Chain

Exploitation

Risk Score

Attack Background

NetExec is a post-exploitation tool with extensive capabilities. An attacker runs NetExec to establish an SMB connection to the target device and performs NTLM authentication. Upon successful authentication, NetExec can test stolen credentials, enumerate Active Directory information, laterally move to other computers, and even dump credentials with techniques like DCSync.

Mitigation Options

Prevent NetExec activity with features such as AppLocker, application control, script blocking, and other prevention mechanisms

Reduce the number of users that have local administrator privileges

Restrict file share access to only authorized IP addresses

MITRE ATT&CK ID

T1021

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases