This detection rule identifies potential misuse of the Remote Access Tool (RAT) known as NetSupport by monitoring the execution of its executable, client32.exe, from unexpected file paths. Typically found in the default installation locations under 'C:\Program Files' or 'C:\Program Files (x86)', any execution of client32.exe from alternate locations may indicate an attempt to bypass security measures. The rule uses specific selection criteria, including file path inspection and associated product name, to discern malicious activity. An additional hash verification enhances detection accuracy by ensuring the executed file matches known indicators of compromise. This rule is crucial as it helps in identifying potentially unauthorized remote access, which can lead to data breaches and other security incidents.