NetSupport Manager Service Install

Detects NetSupport Manager service installation on the target system.

Sigma rule (View on GitHub)

 1title: NetSupport Manager Service Install
 2id: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
 3status: test
 4description: Detects NetSupport Manager service installation on the target system.
 5references:
 6    - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-10-31
 9tags:
10    - attack.persistence
11logsource:
12    product: windows
13    service: system
14detection:
15    # Example:
16    #   <EventData>
17    #       <Data Name="ServiceName">Client32</Data>
18    #       <Data Name="ImagePath">"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *</Data>
19    #       <Data Name="ServiceType">user mode service</Data>
20    #       <Data Name="StartType">auto start</Data>
21    #       <Data Name="AccountName">LocalSystem</Data>
22    #   </EventData>
23    selection_root:
24        Provider_Name: 'Service Control Manager'
25        EventID: 7045
26    selection_service:
27        - ImagePath|contains: '\NetSupport Manager\client32.exe'
28        - ServiceName: 'Client32'
29    condition: all of selection_*
30falsepositives:
31    - Legitimate use of the tool
32level: medium

References

Related rules

to-top