Detects the execution of the hacktool NetExec (CrackMapExec) on Windows endpoints by monitoring process creation events where the executed image ends with nxc.exe and the command line contains common network-service targets (ftp, ldap, mssql, nfs, rdp, smb, ssh, vnc, winrm, wmi). NetExec is a post-exploitation and enumeration tool commonly used for Active Directory assessments, credential harvesting, and lateral movement. When an adversary or red team uses NetExec to identify vulnerable hosts or pivot across the network, these indicators—a NetExec process launching and command-line parameters targeting network services—often appear together. The rule raises a high-severity alert to trigger investigation of potential lateral movement, discovery, and credential access activities on the host. False positives include legitimate security testing or authorized red-team activities. To reduce noise, correlate with additional signals such as abnormal multiple-host discovery, unusual binary paths, persistence mechanisms, or credential access behavior, and validate operator intent. Recommended responses include isolating the host, collecting and inspecting process and network logs, and searching for corroborating NetExec usage across the environment.