Remote Access Tool - NetSupport Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Sigma rule (View on GitHub)
1title: Remote Access Tool - NetSupport Execution
2id: 758ff488-18d5-4cbe-8ec4-02b6285a434f
3status: test
4description: |
5 An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
6 These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
7 Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
10author: frack113
11date: 2022/09/25
12modified: 2023/03/06
13tags:
14 - attack.command_and_control
15 - attack.t1219
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 - Description: NetSupport Client Configurator
22 - Product: NetSupport Remote Control
23 - Company: NetSupport Ltd
24 - OriginalFileName: PCICFGUI.EXE
25 condition: selection
26falsepositives:
27 - Legitimate use
28level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Potential SocGholish Second Stage C2 DNS Query
- Remote Access Tool - AnyDesk Piped Password Via CLI
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Potential Amazon SSM Agent Hijacking
- Potential Linux Amazon SSM Agent Hijacking