SID 1:44678

Report a false positive

Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER NetSupport Manager RAT outbound connection detected

Rule Explanation

This rule is looking for the unique User-Agent of the NetSupport Manager RAT client application. NetSupport is a commercially available IT tool that has been used by various threat actors as a malicious RAT.

What To Look For

This rule alerts on traffic from NetSupport Manager RAT.

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Command and Control::Application Layer Protocol

Rule Categories::Malware::Command and Control

CVE

None

Additional Links

www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection
blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None