Advanced IP Scanner - File Event

 1title: Advanced IP Scanner - File Event
 2id: fed85bf9-e075-4280-9159-fbe8a023d6fa
 3related:
 4    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
 5      type: derived
 6status: test
 7description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 8references:
 9    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
10    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
11    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
12    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
13    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
14author: '@ROxPinTeddy'
15date: 2020-05-12
16modified: 2022-11-29
17tags:
18    - attack.discovery
19    - attack.t1046
20logsource:
21    category: file_event
22    product: windows
23detection:
24    selection:
25        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
26    condition: selection
27falsepositives:
28    - Legitimate administrative use
29level: medium

References

• Snatch ransomware reboots PCs into Safe Mode to bypass protection

  

  A novel hybrid data theft-ransomware threat disables security protections by rebooting Windows machines mid-attack

  
  Read More

• Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents | Google Cloud Blog

  

  064058cf092063a5b69ed8fd2a1a04fe 0f841c6332c89eaa7cac14c9d5b1d35b 108a298b4ed5b4e77541061f32e55751 11308e450b1f17954f531122a56fae3b 15d7dd126391b0e7963c562a6cf3992c 21a563f958b73d453ad91e251b1185...

  
  Read More

• Threats & Research Archives - F-Secure Blog

  Amit Tambe 13.03.24 7 min. read

  
  Read More

• %PDF-1.5 %âãÏÓ 157 0 obj endobj 173 0 obj /Filter/FlateDecode/ID[ ]/Index[157 32]/Info 156 0 R/Length 89/Prev 656617/Root 158 0 R/Size 189/Type/XRef/W[1 3 1]>>stream hÞbbd```b``º"kÀä4Éê o‘ÌkÀ...

  
  Read More

• All That for a Coinminer?

  

  A threat actor recently brute forced a local administrator password using RDP and then dumped credentials using Mimikatz. They not only dumped LogonPasswords but they also exported all Kerberos tic…

  
  Read More

Related rules

• Linux Network Service Scanning - Auditd
• MacOS Network Service Scanning
• PUA - Advanced IP Scanner Execution
• PUA - Advanced Port Scanner Execution
• PUA - Nmap/Zenmap Execution