PUA - Advanced IP/Port Scanner Update Check
Detect the update check performed by Advanced IP/Port Scanner utilities.
Sigma rule (View on GitHub)
1title: PUA - Advanced IP/Port Scanner Update Check
2id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
3status: test
4description: Detect the update check performed by Advanced IP/Port Scanner utilities.
5references:
6 - https://www.advanced-ip-scanner.com/
7 - https://www.advanced-port-scanner.com/
8author: Axel Olsson
9date: 2022/08/14
10modified: 2024/02/15
11tags:
12 - attack.discovery
13 - attack.t1590
14logsource:
15 category: proxy
16detection:
17 selection:
18 # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
19 # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
20 c-uri|contains: '/checkupdate.php'
21 c-uri-query|contains|all:
22 - 'lng='
23 - 'ver='
24 - 'beta='
25 - 'type='
26 - 'rmode='
27 - 'product='
28 condition: selection
29falsepositives:
30 - Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
31level: medium
References
-
Advanced IP Scanner shows all network devices, gives you access to shared folders, and can even remotely switch computers off. Download it Free.
Read More -
Advanced Port Scanner is a free port scanner allowing you to quickly find open ports on network computers and retrieve versions of programs running on the detected ports
Read More
Related rules
- Github Self Hosted Runner Changes Detected
- GatherNetworkInfo.VBS Reconnaissance Script Output
- Network Reconnaissance Activity
- Bitbucket User Details Export Attempt Detected
- Suspicious Group And Account Reconnaissance Activity Using Net.EXE