The detection identifies potential NetSupportManager RAT activity through known IOCs, indicating an adversary may be remotely controlling and exfiltrating data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats leveraging this RAT before significant data loss occurs.
IOC Summary
Malware Family: NetSupportManager RAT Total IOCs: 3 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 24[.]134[.]4[.]221:4714 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 189[.]34[.]188[.]6:5406 | botnet_cc | 2026-05-10 | 75% |
| ip:port | 189[.]34[.]188[.]6:5407 | botnet_cc | 2026-05-10 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - NetSupportManager RAT
let malicious_ips = dynamic(["189.34.188.6", "24.134.4.221"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["189.34.188.6", "24.134.4.221"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate NetSupportManager Remote Support Tool Usage
Description: IT administrators use the legitimate NetSupportManager tool for remote desktop support and system management.
Filter/Exclusion: process.name != "NetSupportManager.exe" OR process.parent.name == "explorer.exe" OR process.user == "IT_Admin"
Scenario: Scheduled Maintenance Job Using NetSupportManager
Description: A scheduled task runs NetSupportManager to perform routine system checks or updates.
Filter/Exclusion: process.name == "NetSupportManager.exe" AND process.command_line contains "scheduled_task_id=IT_Maintenance_001"
Scenario: Admin Task for Remote System Monitoring
Description: A system administrator uses NetSupportManager to monitor and manage multiple remote endpoints during a security audit.
Filter/Exclusion: process.name == "NetSupportManager.exe" AND process.user == "Domain_Admin" AND process.command_line contains "audit_mode"
Scenario: Software Deployment via Group Policy
Description: The NetSupportManager application is deployed via Group Policy to multiple endpoints for remote management purposes.
Filter/Exclusion: process.name == "NetSupportManager.exe" AND process.parent.name == "msiexec.exe" OR process.command_line contains "install"
Scenario: False Positive from Third-Party Tool Integration
Description: A third-party tool (e.g., Lansweeper) integrates with NetSupportManager for asset discovery, triggering the rule.
Filter/Exclusion: process.name == "Lansweeper.exe" OR process.parent.name == "Lansweeper.exe" OR process.command_line contains "asset_discovery"