PUA - Advanced Port Scanner Execution

Jan 1, 2024 · attack.discovery attack.t1046 attack.t1135 ·

Detects the use of Advanced Port Scanner.

Sigma rule (View on GitHub)

 1title: PUA - Advanced Port Scanner Execution
 2id: 54773c5f-f1cc-4703-9126-2f797d96a69d
 3status: test
 4description: Detects the use of Advanced Port Scanner.
 5references:
 6    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2021/12/18
 9modified: 2023/02/07
10tags:
11    - attack.discovery
12    - attack.t1046
13    - attack.t1135
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|contains: '\advanced_port_scanner'
20        - OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe
21        - Description|contains: 'Advanced Port Scanner'
22    selection_cli:
23        CommandLine|contains|all:
24            - '/portable'
25            - '/lng'
26    condition: 1 of selection_*
27falsepositives:
28    - Legitimate administrative use
29    - Tools with similar commandline (very rare)
30level: medium

References

MAL-CL/Descriptors/Other/Advanced Port Scanner at master · 3CORESec/MAL-CL

MAL-CL (Malicious Command-Line). Contribute to 3CORESec/MAL-CL development by creating an account on GitHub.

Read More

PUA - Advanced Port Scanner Execution

Sigma rule (View on GitHub)

References

MAL-CL/Descriptors/Other/Advanced Port Scanner at master · 3CORESec/MAL-CL

Related rules