NetSupport Manager Service Install
Detects NetSupport Manager service installation on the target system.
Sigma rule (View on GitHub)
1title: NetSupport Manager Service Install
2id: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
3status: test
4description: Detects NetSupport Manager service installation on the target system.
5references:
6 - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-10-31
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: system
14detection:
15 # Example:
16 # <EventData>
17 # <Data Name="ServiceName">Client32</Data>
18 # <Data Name="ImagePath">"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *</Data>
19 # <Data Name="ServiceType">user mode service</Data>
20 # <Data Name="StartType">auto start</Data>
21 # <Data Name="AccountName">LocalSystem</Data>
22 # </EventData>
23 selection_root:
24 Provider_Name: 'Service Control Manager'
25 EventID: 7045
26 selection_service:
27 - ImagePath|contains: '\NetSupport Manager\client32.exe'
28 - ServiceName: 'Client32'
29 condition: all of selection_*
30falsepositives:
31 - Legitimate use of the tool
32level: medium
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint