TTP Detection Rule: NetSupport running from unexpected directory (FIN7)
Ttp T1219 Netsupportrat Fin7
Query
// Detection opportunity 2: NetSupport running from unexpected directory
DeviceProcessEvents
| where ( ProcessVersionInfoCompanyName contains "netsupport" or ProcessVersionInfoProductName contains "netsupport" ProcessVersionInfoCompanyName contains "Crosstec" or ProcessVersionInfoProductName contains "Crosstec") and not ( FolderPath has_any ("Program Files (x86)\\","Program Files\\"))About this query
Explanation
This query is designed to detect suspicious activity related to the NetSupport Manager Remote Access Tool (RAT), which is sometimes used by cyber attackers like the FIN7 group. The query looks for instances where NetSupport Manager is running from directories other than the expected "Program Files" or "Program Files (x86)" directories.
Here's a simple breakdown of what the query does:
-
Target: It focuses on processes related to NetSupport Manager, which is a legitimate remote access software but can be misused by attackers.
-
Detection Criteria:
- It checks if the process information contains "netsupport" or "Crosstec" (the company behind NetSupport).
- It flags these processes if they are running from directories other than the standard "Program Files" or "Program Files (x86)".
-
Purpose: The goal is to identify potentially malicious installations of NetSupport Manager that might have been placed in unusual directories by attackers to avoid detection.
-
Context: This behavior has been associated with the FIN7 group, known for using such tactics before deploying ransomware. Detecting NetSupport Manager in unexpected locations can be an early warning sign of a potential security breach.
