NetWire RAT Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
NetWire RAT Execution | Standard | Sysmon, Windows | Command and Control: Remote Access Tools - Remote Desktop Software (T1219.002) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Identifies the execution of NetWire, a multi-platform remote access trojan (RAT) used by cybercriminals and APT groups for data theft and remote control.
Why this rule?
NetWire Remote Access Trojan (RAT) is a sophisticated malware tool used by cybercriminals, advanced persistent threat (APT) groups, and nation-state actors for remote system control, credential theft, keylogging, and data exfiltration. This commercial spyware has been deployed in targeted attacks against financial institutions, government agencies, and corporate networks worldwide. Detection of NetWire execution indicates active malware infection requiring immediate incident response, as attackers can remotely control infected systems, steal passwords, capture screenshots, and establish persistent backdoor access for long-term espionage or ransomware deployment.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Execution → Command and Control → NetWire RAT Execution → Data Exfiltration/Remote Control.
Impact
Adversaries can remotely control the infected host, log keystrokes, and steal sensitive credentials and files.
Rule Requirement
Prerequisites
Enable Process Creation auditing (Event ID 4688) or Sysmon Event ID 1.
Criteria
Action1: actionname = "Process started" AND (( PROCESSNAME contains "NetWire" AND PROCESSNAME endswith ".exe" ) OR ( ORIGINALFILENAME = "NetWire Workstation.exe" )) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.PARENTPROCESSCOMMANDLINE,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID,Action1.DOMAIN
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Command and Control: Remote Access Software - Remote Desktop Software (T1219.002)
Future actions
Known False Positives
Authorized testing in laboratory or non-production environments specifically used for malware analysis.
Next Steps
- Identification: Confirm the file path and origin of the NetWire executable.
- Analysis: Check for network connections to known malicious C2 IP addresses.
- Response: Isolate the host and perform a full forensic scan.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Consider disabling unnecessary remote connection functionality, including both unapproved software installations and specific features built into supported applications. | ||
Use application control to mitigate installation and use of unapproved software that can be used for remote access. | ||
Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access software. | ||
Block the use of IP-based KVM devices within the network if they are not required. | ||
Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to remote access services. |
