This Windows-file-event rule detects on-disk indicators consistent with NetExec (nxc.exe) execution by monitoring file creation events during NetExec’s PyInstaller extraction process. NetExec is a PyInstaller bundle that unpacks embedded data to a temporary folder under Temp, creating a directory named _MEI<random>. The presence of files dropped under the nxc sub-directory within that extraction path is highly indicative of NetExec activity. The detection logic looks for two conditions: (1) the process image path contains \nxc-windows-latest\, and (2) the newly created file (TargetFilename) resides under a Temp _MEI path and a nxc\data\ subpath. When both are observed, an alert is raised. NetExec (formerly CrackMapExec) is commonly used for post-exploitation tasks such as Active Directory enumeration, credential harvesting, and remote code execution, making this a high-severity indicator of potential misuse. While the indicators are specific to NetExec, there is a potential for false positives in legitimate PyInstaller-based software that mirrors similar extraction patterns. The rule is designed for Windows endpoint monitoring and uses file creation events as its primary signal, aligning with file-system-based indicators of execution.