PUA - Advanced IP/Port Scanner Update Check

 1title: PUA - Advanced IP/Port Scanner Update Check
 2id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
 3status: test
 4description: Detect the update check performed by Advanced IP/Port Scanner utilities.
 5references:
 6    - https://www.advanced-ip-scanner.com/
 7    - https://www.advanced-port-scanner.com/
 8author: Axel Olsson
 9date: 2022-08-14
10modified: 2024-02-15
11tags:
12    - attack.discovery
13    - attack.t1590
14logsource:
15    category: proxy
16detection:
17    selection:
18      # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
19      # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
20        c-uri|contains: '/checkupdate.php'
21        c-uri-query|contains|all:
22            - 'lng='
23            - 'ver='
24            - 'beta='
25            - 'type='
26            - 'rmode='
27            - 'product='
28    condition: selection
29falsepositives:
30    - Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
31level: medium

References

• Advanced IP Scanner - Download Free Network Scanner

  Advanced IP Scanner shows all network devices, gives you access to shared folders, and can even remotely switch computers off. Download it Free.

  
  Read More

• Advanced Port Scanner – free and fast port scanner

  Advanced Port Scanner is a free port scanner allowing you to quickly find open ports on network computers and retrieve versions of programs running on the detected ports

  
  Read More

Related rules

• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
• AD Privileged Users or Groups Reconnaissance