Remote Access Tool - NetSupport Execution From Unusual Location
Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
Sigma rule (View on GitHub)
1title: Remote Access Tool - NetSupport Execution From Unusual Location
2id: 37e8d358-6408-4853-82f4-98333fca7014
3status: test
4description: Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/09/19
9modified: 2023/03/05
10tags:
11 - attack.defense_evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Image|endswith: '\client32.exe'
18 - Product|contains: 'NetSupport Remote Control'
19 - OriginalFileName|contains: 'client32.exe'
20 - Imphash: a9d50692e95b79723f3e76fcf70d023e
21 - Hashes|contains: IMPHASH=a9d50692e95b79723f3e76fcf70d023e
22 filter:
23 Image|startswith:
24 - 'C:\Program Files\'
25 - 'C:\Program Files (x86)\'
26 condition: selection and not filter
27falsepositives:
28 - Unknown
29level: medium
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- Arbitrary File Download Via MSPUB.EXE
- DLL Loaded From Suspicious Location Via Cmspt.EXE
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Directory Removal Via Rmdir
- EventLog EVTX File Deleted