Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Sigma rule (View on GitHub)
1title: Renamed NetSupport RAT Execution
2id: 0afbd410-de03-4078-8491-f132303cb67d
3status: test
4description: Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-19
9modified: 2023-02-04
10tags:
11 - attack.defense-evasion
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 - Product|contains: 'NetSupport Remote Control'
18 - OriginalFileName|contains: 'client32.exe'
19 - Imphash: a9d50692e95b79723f3e76fcf70d023e
20 - Hashes|contains: IMPHASH=A9D50692E95B79723F3E76FCF70D023E
21 filter:
22 Image|endswith: '\client32.exe'
23 condition: selection and not filter
24falsepositives:
25 - Unknown
26level: high
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity