netsupport (#3798)

* netsupport

* netsupport

* netsupport

* netsupport

* Update detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update data_sources/sysmon_eventid_29.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update data_sources/sysmon_eventid_29.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* Update detections/endpoint/windows_executable_masquerading_as_benign_file_types.yml

Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>

* netsupport

* netsupport

* netsupport

* netsupport

* updates

* small fixes

---------

Co-authored-by: Teoderick Contreras <tcontreras@splunk.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>

Author: 4 people

data_sources/sysmon_eventid_29.yml

@@ -0,0 +1,62 @@
+name: Sysmon EventID 29
+id: 06c61e04-2d07-4e85-bcd5-8110938b1b18
+version: 1
+date: '2025-11-14'
+author: Teoderick Contreras, Splunk
+description: Data source object for Sysmon EventID 29
+source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+sourcetype: XmlWinEventLog
+separator: EventID
+configuration: https://github.com/SwiftOnSecurity/sysmon-config
+supported_TA:
+- name: Splunk Add-on for Sysmon
+  url: https://splunkbase.splunk.com/app/5709
+  version: 5.0.0
+fields:
+- _time
+- action
+- dest
+- dvc
+- Image
+- EventID
+- EventCode
+- event_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- User
+- UserID
+- TargetFilename
+- process_id
+- ProcessID
+- Hashes
+- EventRecordID
+- Keywords
+- Channel
+- IMPHASH
+- file_hash
+- file_name
+- file_path
+- severity
+- signature
+- signature_id
+- user
+- user_id
+- SecurityID
+- process_guid
+output_fields:
+- Image
+- file_name
+- file_path
+- process_guid
+- file_hash
+- process_id
+- dest
+- user
+- EventCode
+example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>29</EventID><Version>5</Version><Level>4</Level><Task>29</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2025-11-14T10:09:37.700533300Z'/><EventRecordID>3374716</EventRecordID><Correlation/><Execution ProcessID='1668' ThreadID='2836'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2025-11-14 10:09:37.697</Data><Data Name='ProcessGuid'>{CA8A6768-FFA9-6916-9303-000000000304}</Data><Data Name='ProcessId'>1436</Data><Data Name='User'>AR-WIN-DC\Administrator</Data><Data Name='Image'>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data><Data Name='TargetFilename'>C:\Users\Administrator\AppData\Local\Microsoft_Corporation\lScun7w.docx</Data><Data Name='Hashes'>MD5=1E6E804CA71EAF5BEF0ABEF95C578CF0,SHA256=6FFE12CDFE0A36DEC4B4A40ECDAFB4097B1AF7C340B0FCECF9F5C67B7FA8B299,IMPHASH=2C4D798BB87EC57193B7625C4259DA43</Data></EventData></Event>

detections/endpoint/add_or_set_windows_defender_exclusion.yml

@@ -1,7 +1,7 @@
 name: Add or Set Windows Defender Exclusion
 id: 773b66fe-4dd9-11ec-8289-acde48001122
-version: 11
-date: '2025-10-01'
+version: 12
+date: '2025-11-20'
 author: Teoderick Contreras, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -93,6 +93,7 @@ tags:
     - WhisperGate
     - Windows Defense Evasion Tactics
     - Crypto Stealer
+    - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
     - T1562.001
@@ -106,4 +107,4 @@ tests:
     attack_data:
     - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/defender_exclusion_sysmon/sysmon.log
       source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-      sourcetype: XmlWinEventLog
+      sourcetype: XmlWinEventLog

detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml

@@ -1,7 +1,7 @@
 name: Allow Inbound Traffic In Firewall Rule
 id: a5d85486-b89c-11eb-8267-acde48001122
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -53,6 +53,7 @@ rba:
 tags:
   analytic_story:
   - Prohibited Traffic Allowed or Protocol Mismatch
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.001
@@ -66,4 +67,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/allow_inbound_traffic_in_firewall_rule/windows-xml.log
     source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/detect_mshta_url_in_command_line.yml

@@ -1,7 +1,7 @@
 name: Detect MSHTA Url in Command Line
 id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
-version: 15
-date: '2025-09-18'
+version: 16
+date: '2025-11-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -89,6 +89,7 @@ tags:
     - Suspicious MSHTA Activity
     - XWorm
     - Cisco Network Visibility Module Analytics
+    - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.005
@@ -107,4 +108,4 @@ tests:
     attack_data:
       - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_network_visibility_module/cisco_nvm_flowdata/nvm_flowdata.log
         source: not_applicable
-        sourcetype: cisco:nvm:flowdata
+        sourcetype: cisco:nvm:flowdata

detections/endpoint/disable_windows_behavior_monitoring.yml

@@ -1,7 +1,7 @@
 name: Disable Windows Behavior Monitoring
 id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 16
-date: '2025-10-14'
+version: 17
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
 type: TTP
@@ -69,6 +69,7 @@ tags:
   - RedLine Stealer
   - Cactus Ransomware
   - Scattered Lapsus$ Hunters
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1562.001
@@ -82,4 +83,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_app_defender_disabling/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/domain_controller_discovery_with_nltest.yml

@@ -1,7 +1,7 @@
 name: Domain Controller Discovery with Nltest
 id: 41243735-89a7-4c83-bcdd-570aa78f00a1
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-11-20'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -66,6 +66,7 @@ tags:
   - Medusa Ransomware
   - BlackSuit Ransomware
   - Rhysida Ransomware
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1018
@@ -79,4 +80,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/AD_discovery/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/icacls_grant_command.yml

@@ -1,7 +1,7 @@
 name: ICACLS Grant Command
 id: b1b1e316-accc-11eb-a9b4-acde48001122
-version: 8
-date: '2025-06-17'
+version: 9
+date: '2025-11-20'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -76,6 +76,7 @@ tags:
   - Crypto Stealer
   - XMRig
   - Defense Evasion or Unauthorized Access Via SDDL Tampering
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1222
@@ -89,4 +90,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/lolbas_with_network_traffic.yml

@@ -1,7 +1,7 @@
 name: LOLBAS With Network Traffic
 id: 2820f032-19eb-497e-8642-25b04a880359
-version: 13
-date: '2025-10-20'
+version: 14
+date: '2025-11-20'
 author: Steven Dick
 status: production
 type: TTP
@@ -143,6 +143,7 @@ tags:
   - APT37 Rustonotto and FadeStealer
   - GhostRedirector IIS Module and Rungan Backdoor
   - Hellcat Ransomware
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
@@ -158,4 +159,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/ntdsutil_export_ntds.yml

@@ -1,7 +1,7 @@
 name: Ntdsutil Export NTDS
 id: da63bc76-61ae-11eb-ae93-0242ac130002
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-11-20'
 author: Michael Haag, Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -72,6 +72,7 @@ tags:
   - Prestige Ransomware
   - Volt Typhoon
   - Rhysida Ransomware
+  - NetSupport RMM Tool Abuse
   asset_type: Endpoint
   mitre_attack_id:
   - T1003.003
@@ -85,4 +86,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.003/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+    sourcetype: XmlWinEventLog

detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml

@@ -1,7 +1,7 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 14
-date: '2025-10-24'
+version: 15
+date: '2025-11-20'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -68,6 +68,7 @@ tags:
   - GhostRedirector IIS Module and Rungan Backdoor
   - Hellcat Ransomware
   - Microsoft WSUS CVE-2025-59287
+  - NetSupport RMM Tool Abuse
   mitre_attack_id:
   - T1027
   - T1059.001