« Namespace Manipulation Using Unshare Netcat Listener Established via rlwrap »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

NetSupport Manager Execution from an Unusual Path

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

NetSupport Manager Execution from an Unusual Path

edit

Identifies execution of the NetSupport remote access software from non-default paths. Adversaries may abuse NetSupport Manager to control a victim machine.

Rule type: eql

Rule indices:

  • endgame-*
  • logs-crowdstrike.fdr*
  • logs-endpoint.events.process-*
  • logs-m365_defender.event-*
  • logs-sentinel_one_cloud_funnel.*
  • logs-system.security*
  • logs-windows.sysmon_operational-*
  • winlogbeat-*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Command and Control
  • Resources: Investigation Guide
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend
  • Data Source: Sysmon
  • Data Source: SentinelOne
  • Data Source: Microsoft Defender for Endpoint
  • Data Source: Windows Security Event Logs
  • Data Source: Crowdstrike

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating NetSupport Manager Execution from an Unusual Path

Possible investigation steps

  • What is the alerting process and how did NetSupport reach this host from a non-default path?
  • Focus: process.executable, process.pe.original_file_name, process.code_signature.subject_name, process.code_signature.trusted, process.parent.executable, and process.parent.command_line.
  • Implication: escalate when the client is unsigned, portable, or mismatched to its original file name, or when the parent chain starts from a script host, archive utility, browser, or Office process; lower suspicion when signer, path, and parent chain resolve to a recognized deployment. Identity alone does not clear the behavior.
  • Does the client or child command line show recognized deployment behavior or covert control intent?
  • Focus: process.command_line, process.working_directory, and process.parent.command_line, with attention to connection targets, relay parameters, and hidden or scripted launch behavior.
  • Hint: if the alert fired on a child process and the parent command line is absent or truncated, recover the NetSupport client start event on the same host.id before judging deployment or relay intent.
  • Implication: escalate when the command line reveals external control targets, stealthy launch parameters, or deployment behavior that does not fit expected support tooling; lower suspicion when the arguments match a recognized support or managed rollout workflow.
  • Do network events show expected support infrastructure or suspicious relay traffic?
  • Focus: process-scoped DNS and connection events for process.entity_id, checking dns.question.name, dns.resolved_ip, destination.ip, destination.port, and destination.as.organization.name. !{investigate{"description":"","label":"Network activity for the NetSupport process","providers":[[{"excluded":false,"field":"process.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"network","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: escalate when the process reaches rare public destinations or unexpected relay infrastructure; lower suspicion when destinations align with known internal support infrastructure. Missing network telemetry is unresolved, not benign.
  • Do file events show staged components, renamed NetSupport files, or persistence artifacts?
  • Focus: file events scoped to process.entity_id: file.path, file.origin_url, file.Ext.windows.zone_identifier, file.Ext.header_bytes, and adjacent NetSupport files ("client32u.ini", "NSM.lic", "NSM.ini", "CKSINI.EXE").
  • Implication: escalate when the process writes portable components, renamed files, or bundled config/license files, or when artifacts later appear in persistence or execution telemetry; lower suspicion when file activity stays in a recognized installation path with no suspicious reuse.
  • Do child processes launched from NetSupport show interactive abuse beyond normal support?
  • Focus: child process events from process.entity_id, checking process.executable and process.command_line. !{investigate{"description":"","label":"Child processes launched by the NetSupport client","providers":[[{"excluded":false,"field":"process.parent.entity_id","queryType":"phrase","value":"{{process.entity_id}}","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"},{"excluded":false,"field":"event.category","queryType":"phrase","value":"process","valueType":"string"}]],"relativeFrom":"now-1h","relativeTo":"now"}}
  • Implication: escalate when NetSupport spawns shells, scripting engines, archivers, credential tools, or other hands-on-keyboard tooling; lower suspicion when child activity stays limited to expected helper processes or no secondary execution follows.
  • If the local evidence stays suspicious, does this host or user show related alerts or a recurring deployment pattern?
  • Focus: related alerts for host.id and user.id in the last 48 hours, checking for delivery, persistence, remote-access, or credential activity, and whether the same client path, signer, and destination pattern recur across prior alerts.
  • !{investigate{"description":"","label":"Alerts associated with the user","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"user.id","queryType":"phrase","value":"{{user.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • !{investigate{"description":"","label":"Alerts associated with the host","providers":[[{"excluded":false,"field":"event.kind","queryType":"phrase","value":"signal","valueType":"string"},{"excluded":false,"field":"host.id","queryType":"phrase","value":"{{host.id}}","valueType":"string"}]],"relativeFrom":"now-48h/h","relativeTo":"now"}}
  • Hint: if workflow documentation is unavailable, recurrence of the same client path, signer, and destination pattern across prior alerts is the strongest telemetry-based benign signal.
  • Implication: broaden when the host or user shows suspicious precursor, follow-on, or cross-host activity; lower suspicion when the same deployment pattern recurs with no contradictory alerts.
  • Escalate when binary identity, launch chain, network destinations, staged artifacts, or child-process behavior point to unauthorized NetSupport deployment or interactive abuse; close only when all evidence aligns with a recognized support deployment; if mixed or incomplete, preserve and escalate.

False positive analysis

  • Legitimate IT support or managed deployment can stage NetSupport in non-default paths. Confirm it when the client is signed by NetSupport Ltd, the parent is an IT deployment tool (SCCM, GPO, management agent), bundled config files (client32u.ini, NSM.lic) sit alongside the client in the same directory, and network destinations resolve to internal support infrastructure.
  • Before creating an exception, build on process.executable, process.code_signature.subject_name, process.parent.executable, user.id, and host.id. Avoid exceptions on process.name alone, the user alone, or the host alone.

Response and remediation

  • If confirmed benign, reverse any temporary containment and document process.executable, process.code_signature.subject_name, process.parent.executable, the destination pattern, and the user.id/host.id pairing. Create an exception using the fields from the FP guidance above.
  • If suspicious but unconfirmed, preserve the alert’s process.entity_id, client path, signer, process.command_line, related file.path values, child-process lineage, and any linked destination.ip, dns.question.name, or dns.resolved_ip values. Apply reversible containment such as temporary blocking of confirmed destinations. Escalate to host isolation only when live remote control or lateral movement is still plausible and the asset can tolerate it.
  • If confirmed malicious, use endpoint response to contain the host after recording the alert’s process.entity_id, client path, signer, command line, child-process details, written artifact paths, and confirmed destinations. If direct endpoint response is unavailable, escalate with that evidence set to the team that can terminate the process, isolate the host, and block the malicious destinations and dropped artifact hashes identified during the investigation.
  • Before deleting files or removing access, review the same client path family, destinations, bundled config or license files, and dropped artifact names across other hosts and users so portable staging or shared controller infrastructure does not stay localized by mistake. Then eradicate the unauthorized NetSupport client, persistence mechanism, installer artifacts, and follow-on tooling uncovered during the file and child-process review.
  • Post-incident hardening: restrict remote-access tool installs to approved signed packages and approved paths, review software-allowlisting or deployment controls that allowed the portable client to run, and retain endpoint process, file, and network telemetry.

Setup

edit

Setup

This rule is designed for data generated by Elastic Defend, which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

Rule query

edit
process where host.os.type == "windows" and event.type == "start" and
 (process.name : "client32.exe" or ?process.pe.original_file_name == "client32.exe" or process.parent.name : "client32.exe") and
 (
  process.executable :
               ("?:\\Users\\*.exe",
                "?:\\ProgramData\\*.exe",
                "\\Device\\HarddiskVolume*\\Users\\*.exe",
                "\\Device\\HarddiskVolume*\\ProgramData\\*.exe") or
  ?process.parent.executable : ("?:\\Users\\*\\client32.exe", "?:\\ProgramData\\*\\client32.exe")
  )

Framework: MITRE ATT&CKTM

« Namespace Manipulation Using Unshare Netcat Listener Established via rlwrap »