Powershell drops NetSupport RAT client

 1title: Powershell drops NetSupport RAT client
 2status: experimental
 3description: Powershell drops NetSupport RAT client
 4author: Joe Security
 5id: 200105
 6threatname: NetSupport RAT
 7behaviorgroup: 21
 8classification: 4
 9logsource:
10    service: sysmon
11    product: windows
12detection:
13    selection:
14        EventID: 11
15        Image: '*\powershell.exe*'
16        TargetFilename:
17            - '*\AppData\Roaming\\*\NSM.lic*'
18            
19    condition: selection
20level: critical