<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Remote_access_tool - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/remote_access_tool/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 14:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/remote_access_tool/feed.xml" rel="self" type="application/rss+xml"/><item><title>NetSupport Manager Execution from Unusual Path</title><link>https://feed.craftedsignal.io/briefs/2024-01-netsupport-unusual-path/</link><pubDate>Wed, 03 Jan 2024 14:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-netsupport-unusual-path/</guid><description>This rule detects the execution of NetSupport remote access software from non-default paths, potentially indicating an adversary abusing NetSupport Manager for malicious remote control.</description><content:encoded><![CDATA[<p>This detection identifies the execution of NetSupport Manager, a remote access tool, from non-standard installation paths on Windows systems. Adversaries may abuse legitimate remote access software like NetSupport to gain unauthorized control over victim machines, bypassing traditional security controls. The rule focuses on detecting instances of <code>client32.exe</code> (or its parent process) running from locations such as user profiles or the ProgramData directory, which deviates from typical installations. This activity is flagged as suspicious because legitimate software is usually installed in dedicated directories under Program Files or Program Files (x86). The detection logic is designed to be broad, catching renamed or moved copies of the legitimate binary used for malicious purposes. This activity was observed beginning 2025/08/20 and updated 2026/04/07.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An adversary gains initial access to the system through a separate vector (e.g., phishing, exploitation).</li>
<li>The adversary copies or moves the <code>client32.exe</code> binary to a non-standard location, such as <code>C:\Users\&lt;username&gt;\</code> or <code>C:\ProgramData\</code>.</li>
<li>The adversary executes <code>client32.exe</code> from the unusual path.</li>
<li>NetSupport Manager establishes a remote connection to a command and control server.</li>
<li>The adversary uses NetSupport Manager to perform reconnaissance activities on the compromised host.</li>
<li>The adversary leverages NetSupport Manager to execute malicious commands.</li>
<li>The adversary uses the established connection to move laterally to other systems within the network.</li>
<li>The adversary achieves their objective, such as data exfiltration or ransomware deployment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to complete remote control of the compromised system. This could result in data theft, malware installation, lateral movement within the network, and disruption of services. The impact is significant as NetSupport Manager provides extensive remote administration capabilities to the attacker. Without proper mitigation, attackers can gain complete control over the affected machines, leading to significant damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon process-creation logging to activate the rule <code>NetSupport Manager Execution from an Unusual Path</code> and ensure proper logging from the endpoint.</li>
<li>Inspect process ancestry of detected <code>client32.exe</code> instances for suspicious parent processes (e.g., script interpreters or archive utilities) as suggested in the rule's note section.</li>
<li>Deploy the Sigma rule <code>Detect NetSupport Client32 Execution from Unusual Path</code> to your SIEM and tune for your environment.</li>
<li>Monitor network connections originating from <code>client32.exe</code> for unusual destination IPs and ports, as described in the rule's triage and analysis.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>command_and_control</category><category>remote_access_tool</category><category>netsupport</category></item></channel></rss>