This detection rule identifies the execution of the NetSupport remote access software from atypical file paths, which may indicate malicious activity. NetSupport Manager is a tool designed for legitimate remote support, but its functionalities can be abused by adversaries to take control of victim machines. The rule monitors for processes where 'client32.exe' is launched from non-default directories, which could signify exploitation of this remote access tool. The rule was authored by Elastic and leverages various data sources including Elastic Endgame, Crowdstrike, and Windows Security Event Logs to trigger alerts on potentially harmful executions. If such execution is detected, it suggests that further investigation is required since the presence of NetSupport Managers outside of known legitimate paths could represent unauthorized access or command and control activities by an attacker. Proper triage and remediation steps are outlined to isolate affected systems, terminate unauthorized processes, and to gather context from related security alerts.