Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Sigma rule (View on GitHub)
1title: Renamed NetSupport RAT Execution
2id: 0afbd410-de03-4078-8491-f132303cb67d
3status: test
4description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-19
9modified: 2024-11-23
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Product|contains: 'NetSupport Remote Control'
18 - OriginalFileName|contains: 'client32.exe'
19 - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E
20 filter:
21 Image|endswith: '\client32.exe'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- HackTool - CoercedPotato Execution
- HackTool - GMER Rootkit Detector and Remover Execution
- HackTool - Impersonate Execution
- HackTool - LocalPotato Execution
- HackTool - PPID Spoofing SelectMyParent Tool Execution