Advanced IP Scanner - File Event

 1title: Advanced IP Scanner - File Event
 2id: fed85bf9-e075-4280-9159-fbe8a023d6fa
 3related:
 4    - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
 5      type: derived
 6status: test
 7description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
 8references:
 9    - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
10    - https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
11    - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
12    - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
13    - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
14author: '@ROxPinTeddy'
15date: 2020/05/12
16modified: 2022/11/29
17tags:
18    - attack.discovery
19    - attack.t1046
20logsource:
21    category: file_event
22    product: windows
23detection:
24    selection:
25        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
26    condition: selection
27falsepositives:
28    - Legitimate administrative use
29level: medium

References

• Snatch ransomware reboots PCs into Safe Mode to bypass protection

  

  A novel hybrid data theft-ransomware threat disables security protections by rebooting Windows machines mid-attack

  
  Read More

• Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents | Mandiant

  

  Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously doc...

  
  Read More

• https://labs.f-secure.com/blog/prelude-to-ransomware-systembc

  
  Read More

• %PDF-1.5 %âãÏÓ 157 0 obj endobj 173 0 obj /Filter/FlateDecode/ID[ ]/Index[157 32]/Info 156 0 R/Length 89/Prev 656617/Root 158 0 R/Size 189/Type/XRef/W[1 3 1]>>stream hÞbbd```b``º"kÀä4Éê o‘ÌkÀ...

  
  Read More

• https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer

  
  Read More

Related rules

• MacOS Network Service Scanning
• Local Groups Discovery - Linux
• Local Groups Discovery - MacOs
• Local System Accounts Discovery - Linux
• Local System Accounts Discovery - MacOs