Renamed SimpleHelp Client Binary Execution - Remote Access Software

Rule Info

Name
Renamed SimpleHelp Client Binary Execution - Remote Access Software
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of a renamed SimpleHelp client binary. These binary are executed by threat actors to connect to certain SimpleHelp servers for remote access and control. Even though it is legitimate RMM software, the use of renamed binaries is a common tactic employed by attackers to evade detection and persist on compromised systems.
Reference
https://simple-help.com/
Date
2026-03-23 00:00:00
Modified
None
Id
8b3e4a1c-5f2d-4e9b-a7c6-3d1e0f8b2a5c
Tags
attack.defense-evasion attack.t1036.003 attack.command-and-control attack.t1219
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022