The SANS Internet Storm Center has identified an active threat campaign where an unidentified Remote Access Trojan (RAT) is being used as a dropper for NetSupport RAT, a legitimate remote administration tool that has been weaponized by threat actors. This attack is significant because it demonstrates how attackers are increasingly abusing legitimate tools to evade detection while establishing persistent remote access to compromised systems. Security teams must act quickly to identify infections and prevent lateral movement.
Technical Analysis
The attack chain begins with a dropper (the unidentified RAT) which downloads and executes NetSupport Manager. NetSupport RAT has a long history of being abused in malware campaigns, including those targeting financial and healthcare sectors. The tool provides attackers with full remote control capabilities including:
- Remote desktop control
- File system manipulation
- Command execution
- Keylogging
- Password stealing
While NetSupport Manager is a legitimate product used by IT administrators, in this context it's being deployed without authorization, indicating malicious use.
Affected Products & Platforms:
- Windows systems (primary target)
- NetSupport Manager (maliciously deployed)
Attack Vector: The initial infection vector appears to be a dropper that downloads and executes the NetSupport RAT payload. The dropper's method of initial delivery is not fully identified but commonly includes phishing emails, malicious downloads, or exploit kits.
Exploitation Status:
- Confirmed active exploitation in the wild
- No CVE associated (abuse of legitimate software)
- Not currently listed in CISA KEV (as of reporting date)
Detection & Response
SIGMA Rules
YAML
---
title: NetSupport RAT Execution
id: 1a2b3c4d-5e6f-7890-abcd-ef1234567890
status: experimental
description: Detects execution of NetSupport Manager (client32.exe) which may indicate malicious use if not authorized
references:
- https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2024/06/01
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\client32.exe'
condition: selection
falsepositives:
- Authorized use by IT administrators
- Legitimate NetSupport Manager deployment
level: medium
---
title: NetSupport Manager Suspicious Installation
id: 2b3c4d5e-6f78-90ab-cdef-1234567890ab
status: experimental
description: Detects suspicious installation patterns of NetSupport Manager from unexpected locations
references:
- https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2024/06/01
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\client32.exe'
ParentImage|notcontains:
- 'Program Files'
- 'Program Files (x86)'
condition: selection
falsepositives:
- Authorized installation from non-standard locations
level: high
---
title: NetSupport Manager Network Connection
id: 3c4d5e6f-7890-abcd-ef12-34567890abcd
status: experimental
description: Detects network connections established by NetSupport Manager to external IPs
references:
- https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2024/06/01
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\client32.exe'
Initiated: 'true'
filter:
DestinationIp|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter
falsepositives:
- Legitimate remote administration to internal systems
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for NetSupport RAT (client32.exe) execution and network connections
// Look for process creation events
DeviceProcessEvents
| where FileName =~ "client32.exe"
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
// Look for network connections from NetSupport Manager
| union (
DeviceNetworkEvents
| where ProcessVersionInfoInternalFileName =~ "client32.exe" or FileName =~ "client32.exe"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| order by Timestamp desc
)
Velociraptor VQL
VQL — Velociraptor
-- Hunt for NetSupport RAT (client32.exe) processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "client32.exe"
-- Hunt for NetSupport Manager file artifacts
SELECT FullPath, Size, Mtime, Atime, Ctime
FROM glob(globs="C:/Users/*/AppData/Local/Temp/**/client32.exe")
-- Hunt for NetSupport Manager network connections
SELECT Fd, Family, RemoteAddr, RemotePort, State, Pid
FROM netstat()
WHERE ProcessName =~ "client32.exe"
Remediation Script (PowerShell)
PowerShell
# NetSupport RAT Detection and Remediation Script
# Run with elevated privileges
# Check for running NetSupport Manager processes
Write-Host "Checking for NetSupport Manager processes..." -ForegroundColor Yellow
$processes = Get-Process -Name "client32" -ErrorAction SilentlyContinue
if ($processes) {
Write-Host "Found NetSupport Manager processes running!" -ForegroundColor Red
$processes | Select-Object Id, ProcessName, Path, StartTime
# Kill processes
$processes | Stop-Process -Force
Write-Host "Processes terminated." -ForegroundColor Green
} else {
Write-Host "No NetSupport Manager processes found running." -ForegroundColor Green
}
# Check for NetSupport Manager files in common locations
Write-Host "Checking for NetSupport Manager files..." -ForegroundColor Yellow
$paths = @(
"$env:LOCALAPPDATA\Temp\client32.exe",
"$env:APPDATA\client32.exe",
"$env:TEMP\client32.exe",
"C:\Program Files\client32.exe",
"C:\Program Files (x86)\client32.exe"
)
$foundFiles = @()
foreach ($path in $paths) {
if (Test-Path $path) {
$foundFiles += $path
Write-Host "Found: $path" -ForegroundColor Red
}
}
# Check for registry keys associated with NetSupport Manager persistence
Write-Host "Checking for persistence mechanisms..." -ForegroundColor Yellow
$runKeys = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
$persistenceFound = $false
foreach ($key in $runKeys) {
if (Test-Path $key) {
$values = Get-ItemProperty $key -ErrorAction SilentlyContinue
foreach ($value in $values.PSObject.Properties) {
if ($value.Value -like "*client32*") {
Write-Host "Persistence found in $($key.Name): $($value.Name) = $($value.Value)" -ForegroundColor Red
$persistenceFound = $true
}
}
}
}
# Network connections check
Write-Host "Checking for NetSupport Manager network connections..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection -OwningProcess (Get-Process -Name "client32" -ErrorAction SilentlyContinue).Id -ErrorAction SilentlyContinue
if ($connections) {
Write-Host "Network connections found:" -ForegroundColor Red
$connections | Format-Table -AutoSize
} else {
Write-Host "No active network connections found for NetSupport Manager." -ForegroundColor Green
}
# Summary
Write-Host "`n--- Remediation Summary ---" -ForegroundColor Cyan
if ($foundFiles.Count -gt 0 -or $persistenceFound) {
Write-Host "ACTION REQUIRED: NetSupport RAT indicators found!" -ForegroundColor Red
Write-Host "Manual investigation recommended. Remove unauthorized files and registry entries." -ForegroundColor Yellow
} else {
Write-Host "No immediate indicators of NetSupport RAT found." -ForegroundColor Green
}
Remediation
If NetSupport RAT is detected on your systems, follow these steps immediately:
-
Isolate affected systems: Disconnect compromised machines from the network to prevent lateral movement.
-
Terminate malicious processes:
- Kill any running
client32.exeprocesses not authorized by IT - Use the provided PowerShell script to automate detection and termination
- Kill any running
-
Remove persistence mechanisms:
- Check registry Run keys for NetSupport Manager entries
- Remove startup items in Task Scheduler
- Delete unauthorized files found in common directories
-
Block network communication:
- Block outbound connections to known NetSupport Manager command-and-control infrastructure
- Configure firewall rules to restrict unauthorized remote desktop tools
-
Credential reset:
- Force password resets for all accounts on affected systems
- Assume credentials have been stolen and revoke any exposed session tokens
-
Investigate source:
- Analyze how the initial dropper was delivered (email attachment, malicious download, exploit)
- Search for the unidentified RAT dropper using file hash and behavioral indicators
- Review endpoint logs for precursor activities
-
Implement application controls:
- Use AppLocker or similar to restrict execution of NetSupport Manager to approved systems
- Create software restriction policies for remote administration tools
-
User awareness:
- Alert users about the threat campaign
- Reinforce phishing awareness and safe computing practices
Vendor Resources:
- NetSupport Manager official documentation: https://www.netsupportmanager.com/
- SANS Internet Storm Center Diary: https://isc.sans.edu/diary/33034
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Timeline for remediation:
- Immediate: Isolate affected systems and terminate processes
- Within 24 hours: Complete credential resets and persistence removal
- Within 48 hours: Complete forensic investigation and implement control changes
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
managed-socmdrsecurity-monitoringthreat-detectionsiemnetsupport-ratratmalware-detection
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.