Remote Access Tool - NetSupport Execution From Unusual Location

Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')

Sigma rule (View on GitHub)

 1title: Remote Access Tool - NetSupport Execution From Unusual Location
 2id: 37e8d358-6408-4853-82f4-98333fca7014
 3status: test
 4description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
 5references:
 6    - https://redcanary.com/blog/misbehaving-rats/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-09-19
 9modified: 2024-11-23
10tags:
11    - attack.defense-evasion
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        - Image|endswith: '\client32.exe'
18        - Product|contains: 'NetSupport Remote Control'
19        - OriginalFileName|contains: 'client32.exe'
20        - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
21    filter:
22        Image|startswith:
23            - 'C:\Program Files\'
24            - 'C:\Program Files (x86)\'
25    condition: selection and not filter
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top