NetSupport Manager Execution from an Unusual Path
Identifies execution of the NetSupport remote access software from non-default paths. Adversaries may abuse NetSupport Manager to control a target victim machine.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/08/20"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/08/20"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies execution of the NetSupport remote access software from non-default paths. Adversaries may abuse NetSupport
11Manager to control a target victim machine.
12"""
13from = "now-9m"
14index = [
15 "endgame-*",
16 "logs-crowdstrike.fdr*",
17 "logs-endpoint.events.process-*",
18 "logs-m365_defender.event-*",
19 "logs-sentinel_one_cloud_funnel.*",
20 "logs-system.security*",
21 "logs-windows.sysmon_operational-*",
22 "winlogbeat-*",
23]
24language = "eql"
25license = "Elastic License v2"
26name = "NetSupport Manager Execution from an Unusual Path"
27note = """## Triage and analysis
28
29### Investigating NetSupport Manager Execution from an Unusual Path
30
31NetSupport Manager, is a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands.
32
33### Possible investigation steps
34
35- Review the origin of the NetSupport file and if it's related to an authorized IT Support case.
36- Examine if the NetSupport process is set to persist in the affected system via scheduled task, Startup folder or Run key.
37- Check the network, files and child processes activity associated with the NetSupport client32.exe process.
38- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities.
39
40### False positive analysis
41
42- Legitimate IT support activities using NetSupport by IT support accounts.
43
44### Response and remediation
45
46- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
47- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity.
48- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe.
49- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker.
50- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised.
51- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
52- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon."""
53references = [
54 "https://www.netsupportsoftware.com/",
55]
56risk_score = 73
57rule_id = "5f73aef2-7abc-4fd9-ac0d-ab8ec3e13891"
58severity = "high"
59tags = [
60 "Domain: Endpoint",
61 "OS: Windows",
62 "Use Case: Threat Detection",
63 "Tactic: Command and Control",
64 "Resources: Investigation Guide",
65 "Data Source: Elastic Endgame",
66 "Data Source: Elastic Defend",
67 "Data Source: Sysmon",
68 "Data Source: SentinelOne",
69 "Data Source: Microsoft Defender for Endpoint",
70 "Data Source: Windows Security Event Logs",
71 "Data Source: Crowdstrike",
72]
73timestamp_override = "event.ingested"
74type = "eql"
75
76query = '''
77process where host.os.type == "windows" and event.type == "start" and
78 (process.name : "client32.exe" or ?process.pe.original_file_name == "client32.exe" or process.parent.name : "client32.exe") and
79 (
80 process.executable :
81 ("?:\\Users\\*.exe",
82 "?:\\ProgramData\\*.exe",
83 "\\Device\\HarddiskVolume?\\Users\\*.exe",
84 "\\Device\\HarddiskVolume?\\ProgramData\\*.exe") or
85 ?process.parent.executable : ("?:\\Users\\*\\client32.exe", "?:\\ProgramData\\*\\client32.exe")
86 )
87'''
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1219"
94name = "Remote Access Tools"
95reference = "https://attack.mitre.org/techniques/T1219/"
96
97
98[rule.threat.tactic]
99id = "TA0011"
100name = "Command and Control"
101reference = "https://attack.mitre.org/tactics/TA0011/"
Triage and analysis
Investigating NetSupport Manager Execution from an Unusual Path
NetSupport Manager, is a remote access tool, facilitates legitimate remote support but can be exploited by adversaries to execute unauthorized commands.
Possible investigation steps
- Review the origin of the NetSupport file and if it's related to an authorized IT Support case.
- Examine if the NetSupport process is set to persist in the affected system via scheduled task, Startup folder or Run key.
- Check the network, files and child processes activity associated with the NetSupport client32.exe process.
- Correlate the event with other security alerts or logs from data sources like Elastic Defend or Microsoft Defender for Endpoint to gather additional context and identify any related malicious activities.
False positive analysis
- Legitimate IT support activities using NetSupport by IT support accounts.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker.
- Terminate any suspicious processes identified in the alert, such as PowerShell, cmd.exe, or other flagged executables, to halt any ongoing malicious activity.
- Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe or schtasks.exe.
- Conduct a thorough scan of the affected system using endpoint protection tools to identify and remove any malware or unauthorized software installed by the attacker.
- Restore the system from a known good backup if any critical system files or configurations have been altered or compromised.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement enhanced monitoring and logging for ScreenConnect and other remote access tools to detect similar activities in the future, ensuring that alerts are promptly reviewed and acted upon.
References
Related rules
- Suspicious Execution from INET Cache
- Potential File Transfer via Curl for Windows
- Attempt to Establish VScode Remote Tunnel
- Suspicious ScreenConnect Client Child Process
- Potential File Download via a Headless Browser