From b99efdf7221ca84567c924b2c5267b256b180082 Mon Sep 17 00:00:00 2001
From: Yung Binary <93540406+YungBinary@users.noreply.github.com>
Date: Fri, 17 Oct 2025 20:34:44 -0600
Subject: [PATCH 1/3] Add NetSupport Yara

---
 data/yara/CAPE/NetSupport.yar | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 data/yara/CAPE/NetSupport.yar

diff --git a/data/yara/CAPE/NetSupport.yar b/data/yara/CAPE/NetSupport.yar
new file mode 100644
index 00000000000..b4ccbf6645c
--- /dev/null
+++ b/data/yara/CAPE/NetSupport.yar
@@ -0,0 +1,14 @@
+rule NetSupport
+{
+  meta:
+    author = "YungBinary"
+    description = "Detects NetSupport Manager RAT on disk or in memory"
+    cape_type = "NetSupport Payload"
+  strings:
+    $a1 = "NetSupport Manager" wide
+    $b1 = "NetSupport Remote Control" wide
+    $s1 = "Client Application" wide
+    $s2 = "NetSupport Ltd" wide
+  condition:
+    uint16(0) == 0x5a4d and (($a1 and $b1) or ($s1 and $s2))
+}
\ No newline at end of file

From 85c7d65e22b0f78e097cbab6ddb7d017f5efbe26 Mon Sep 17 00:00:00 2001
From: Yung Binary <93540406+YungBinary@users.noreply.github.com>
Date: Fri, 17 Oct 2025 23:03:34 -0600
Subject: [PATCH 2/3] Resolve comments

---
 data/yara/CAPE/NetSupport.yar | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/NetSupport.yar b/data/yara/CAPE/NetSupport.yar
index b4ccbf6645c..4f7fa5a4d24 100644
--- a/data/yara/CAPE/NetSupport.yar
+++ b/data/yara/CAPE/NetSupport.yar
@@ -1,3 +1,5 @@
+import "pe"
+
 rule NetSupport
 {
   meta:
@@ -10,5 +12,5 @@ rule NetSupport
     $s1 = "Client Application" wide
     $s2 = "NetSupport Ltd" wide
   condition:
-    uint16(0) == 0x5a4d and (($a1 and $b1) or ($s1 and $s2))
-}
\ No newline at end of file
+    uint16(0) == 0x5a4d and (pe.imports("PCICL32.dll", "_NSMClient32@8")) or (($a1 and $b1) or ($s1 and $s2))
+}

From 5b22f81eaec1ee76f0cb285c3fe3a9f9a0fb6ded Mon Sep 17 00:00:00 2001
From: Yung Binary <93540406+YungBinary@users.noreply.github.com>
Date: Fri, 17 Oct 2025 23:04:54 -0600
Subject: [PATCH 3/3] Resolve comments

---
 data/yara/CAPE/NetSupport.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/yara/CAPE/NetSupport.yar b/data/yara/CAPE/NetSupport.yar
index 4f7fa5a4d24..80437a1b4be 100644
--- a/data/yara/CAPE/NetSupport.yar
+++ b/data/yara/CAPE/NetSupport.yar
@@ -12,5 +12,5 @@ rule NetSupport
     $s1 = "Client Application" wide
     $s2 = "NetSupport Ltd" wide
   condition:
-    uint16(0) == 0x5a4d and (pe.imports("PCICL32.dll", "_NSMClient32@8")) or (($a1 and $b1) or ($s1 and $s2))
+    uint16(0) == 0x5a4d and ((pe.imports("PCICL32.dll", "_NSMClient32@8")) or (($a1 and $b1) or ($s1 and $s2)))
 }