NetSupport Manager Execution from Unusual Path
This rule detects the execution of NetSupport remote access software from non-default paths, potentially indicating an adversary abusing NetSupport Manager for malicious remote control.
This detection identifies the execution of NetSupport Manager, a remote access tool, from non-standard installation paths on Windows systems. Adversaries may abuse legitimate remote access software like NetSupport to gain unauthorized control over victim machines, bypassing traditional security controls. The rule focuses on detecting instances of client32.exe (or its parent process) running from locations such as user profiles or the ProgramData directory, which deviates from typical installations. This activity is flagged as suspicious because legitimate software is usually installed in dedicated directories under Program Files or Program Files (x86). The detection logic is designed to be broad, catching renamed or moved copies of the legitimate binary used for malicious purposes. This activity was observed beginning 2025/08/20 and updated 2026/04/07.
Attack Chain
- An adversary gains initial access to the system through a separate vector (e.g., phishing, exploitation).
- The adversary copies or moves the
client32.exebinary to a non-standard location, such asC:\Users\<username>\orC:\ProgramData\. - The adversary executes
client32.exefrom the unusual path. - NetSupport Manager establishes a remote connection to a command and control server.
- The adversary uses NetSupport Manager to perform reconnaissance activities on the compromised host.
- The adversary leverages NetSupport Manager to execute malicious commands.
- The adversary uses the established connection to move laterally to other systems within the network.
- The adversary achieves their objective, such as data exfiltration or ransomware deployment.
Impact
Successful exploitation can lead to complete remote control of the compromised system. This could result in data theft, malware installation, lateral movement within the network, and disruption of services. The impact is significant as NetSupport Manager provides extensive remote administration capabilities to the attacker. Without proper mitigation, attackers can gain complete control over the affected machines, leading to significant damage.
Recommendation
- Enable Sysmon process-creation logging to activate the rule
NetSupport Manager Execution from an Unusual Pathand ensure proper logging from the endpoint. - Inspect process ancestry of detected
client32.exeinstances for suspicious parent processes (e.g., script interpreters or archive utilities) as suggested in the rule's note section. - Deploy the Sigma rule
Detect NetSupport Client32 Execution from Unusual Pathto your SIEM and tune for your environment. - Monitor network connections originating from
client32.exefor unusual destination IPs and ports, as described in the rule's triage and analysis.
Detection coverage 2
Detect NetSupport Client32 Execution from Unusual Path
highDetects execution of NetSupport client32.exe from unusual paths, indicating potential abuse for remote access.
Detect NetSupport Client32 Parent Process from Unusual Path
highDetects execution of NetSupport client32.exe as a parent from unusual paths, indicating potential abuse for remote access.
Detection queries are available on the platform. Get full rules →