Remote Access Tool - NetSupport Execution From Unusual Location
Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
Sigma rule (View on GitHub)
1title: Remote Access Tool - NetSupport Execution From Unusual Location
2id: 37e8d358-6408-4853-82f4-98333fca7014
3status: test
4description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-19
9modified: 2024-11-23
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith: '\client32.exe'
18 - Product|contains: 'NetSupport Remote Control'
19 - OriginalFileName|contains: 'client32.exe'
20 - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
21 filter:
22 Image|startswith:
23 - 'C:\Program Files\'
24 - 'C:\Program Files (x86)\'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: medium
References
Related rules
- HackTool - CoercedPotato Execution
- HackTool - GMER Rootkit Detector and Remover Execution
- HackTool - Impersonate Execution
- HackTool - LocalPotato Execution
- HackTool - PPID Spoofing SelectMyParent Tool Execution