NetSupport Manager Service Install

calendar Oct 17, 2023 · attack.persistence  ·
Share on: linkedin copy

Detects NetSupport Manager service installation on the target system.

Sigma rule (View on GitHub)

 1title: NetSupport Manager Service Install
 2id: 2d510d8d-912b-45c5-b1df-36faa3d8c3f4
 3status: test
 4description: Detects NetSupport Manager service installation on the target system.
 5references:
 6    - http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022/10/31
 9tags:
10    - attack.persistence
11logsource:
12    product: windows
13    service: system
14detection:
15    # Example:
16    #   <EventData>
17    #       <Data Name="ServiceName">Client32</Data>
18    #       <Data Name="ImagePath">"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *</Data>
19    #       <Data Name="ServiceType">user mode service</Data>
20    #       <Data Name="StartType">auto start</Data>
21    #       <Data Name="AccountName">LocalSystem</Data>
22    #   </EventData>
23    selection_root:
24        Provider_Name: 'Service Control Manager'
25        EventID: 7045
26    selection_service:
27        - ImagePath|contains: '\NetSupport Manager\client32.exe'
28        - ServiceName: 'Client32'
29    condition: all of selection_*
30falsepositives:
31    - Legitimate use of the tool
32level: medium

References

  • Gf*í)ER7 ¼õ—)’™ yJ‘Œ1 LÈgzñSŠ$ðz ái _~Z²�Ù77)ÏúO¶ö[ðbÿ¯®¬|ö§„4ÏôeFîûéRßáÒ½v÷¿îÅWƒ‘1ñ…ϯ0æÍ4E�&Õò•æí¶Ø^+a øÆÀG Í´PSëZÕ¬>´UûØêÑËzo×WsòGd½x¦–GÀéeÖìÞ¸é ÔªMy§îœÃtTNe³”w)x(ºŒ3mÖ”Ž*+V¿P...


    Read More

Related rules

to-top