{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote_access_tool/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NetSupport Manager"],"_cs_severities":["high"],"_cs_tags":["command_and_control","remote_access_tool","netsupport"],"_cs_type":"advisory","_cs_vendors":["NetSupport"],"content_html":"\u003cp\u003eThis detection identifies the execution of NetSupport Manager, a remote access tool, from non-standard installation paths on Windows systems. Adversaries may abuse legitimate remote access software like NetSupport to gain unauthorized control over victim machines, bypassing traditional security controls. The rule focuses on detecting instances of \u003ccode\u003eclient32.exe\u003c/code\u003e (or its parent process) running from locations such as user profiles or the ProgramData directory, which deviates from typical installations. This activity is flagged as suspicious because legitimate software is usually installed in dedicated directories under Program Files or Program Files (x86). The detection logic is designed to be broad, catching renamed or moved copies of the legitimate binary used for malicious purposes. This activity was observed beginning 2025/08/20 and updated 2026/04/07.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn adversary gains initial access to the system through a separate vector (e.g., phishing, exploitation).\u003c/li\u003e\n\u003cli\u003eThe adversary copies or moves the \u003ccode\u003eclient32.exe\u003c/code\u003e binary to a non-standard location, such as \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\\u003c/code\u003e or \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003eclient32.exe\u003c/code\u003e from the unusual path.\u003c/li\u003e\n\u003cli\u003eNetSupport Manager establishes a remote connection to a command and control server.\u003c/li\u003e\n\u003cli\u003eThe adversary uses NetSupport Manager to perform reconnaissance activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe adversary leverages NetSupport Manager to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe adversary uses the established connection to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe adversary achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete remote control of the compromised system. This could result in data theft, malware installation, lateral movement within the network, and disruption of services. The impact is significant as NetSupport Manager provides extensive remote administration capabilities to the attacker. Without proper mitigation, attackers can gain complete control over the affected machines, leading to significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to activate the rule \u003ccode\u003eNetSupport Manager Execution from an Unusual Path\u003c/code\u003e and ensure proper logging from the endpoint.\u003c/li\u003e\n\u003cli\u003eInspect process ancestry of detected \u003ccode\u003eclient32.exe\u003c/code\u003e instances for suspicious parent processes (e.g., script interpreters or archive utilities) as suggested in the rule's note section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect NetSupport Client32 Execution from Unusual Path\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from \u003ccode\u003eclient32.exe\u003c/code\u003e for unusual destination IPs and ports, as described in the rule's triage and analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:22:00Z","date_published":"2024-01-03T14:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-netsupport-unusual-path/","summary":"This rule detects the execution of NetSupport remote access software from non-default paths, potentially indicating an adversary abusing NetSupport Manager for malicious remote control.","title":"NetSupport Manager Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-01-netsupport-unusual-path/"}],"language":"en","title":"CraftedSignal Threat Feed - Remote_access_tool","version":"https://jsonfeed.org/version/1.1"}